Solaris 2.5 x86 aspppd (semi-exploitable-hole)

 Although initialy when I first saw this hole I
 thought "noone is realy vunerable", but after
 seeing how badly aspppd handled my modem line
 getting dropped (Solaris doesnt down the
 interface, so you have to either restart aspppd,
 or do it manualy), I figured some people running
 scripts that restart aspppd might be.

 Its relatively simple, in /tmp/ lies .asppp.fifo
 which is world r/w if aspppd isnt running you
 simply ln -s /.rhosts /tmp/.asppp.fifo, when root
 executes aspppd, /.rhosts is opened r/w as a fifo,
 the second aspppd dies /.rhosts becomes a normal
 file world r/w.

 aspppd isnt setuid, so it must be run by root and
 later killed for any of this to work. Not likely,
 but if your like me and have a small  script to
 keep up your link, (not anymore) your probably
 vunerable.