/usr/bin/write contains an exploitable buffer overflow in the second argument it receives. If this data exceeds a predefined length, inserting two values into the argument it is possible to copy the first one into the memory position pointed by the second one, using this technique it is possible to execute arbitrary commands.
The exploit code below demonstrates this vulnerability.
/usr/bin/write overflow proof of conecpt.
Tested on Solaris 7 x86
Pablo Sor, Buenos Aires, Argentina. 01/2000