X11R6 NetBSD Security Problem

[telnetd () DOEMILL SHOCKING COM (in.telnetd)]

Hey
 If this has already been brought up, you have the right to stone me to
death, But I havent seen it and ive searched, so here it is:

I was fooling around today, and decided to rm /tmp/.X11-unix and then make
a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
up /etc/passwd and
ln -s /etc/passwd /tmp/.X11-unix
and then startx'd as normal user acount, But X wouldnt start, it
complained and said "is not a directory" So, I made a symbolic link from
/root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
to have write access to /root.
I was able to write new files to /root but was not able to overright or
change files, i was able to make a "+ +" .rhosts though.
I did this to /etc also, changed it from:

drwxr-xr-x

To:

drwxrwxrwt

with:

telnetd ~$ ln -s /etc /tmp/.X11-unix
telnetd ~$ startx

I have tested this via a remote telnet sesion also, It works if you are
able to startx and X isnt already running,
I swung my chair around and got on my gateway, telneted to stinky, logged
in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw
the X startup crap, looked behind me and saw X starting on stinky, I
turned to my gateway and stoped X, and had write access to /etc.

wh00t@$#!$

The only real thing I can think of for this to be usefull is .rhosts in
/root...
later
telnetd () doemill shocking com