rsh in the remote_cmds component in Apple OS X prior to 10.11 allows local users to obtain root privileges via vectors involving environment variables.
The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to c ...