We all know that you can pass most environment variables to a login
shell when started through telnetd. Assuming you have the password for a
sliplogin account on a Linux box, you can pass the ENV variable in this
fashion.

The attack goes something like this:

ENV='`/evil/command`' telnet
telnet> environ export ENV
telnet> open targethost

You then log into your regular slip account, which executes sliplogin as
your login shell. Sliplogin, in turn, runs the /etc/slip.login shell
script using bash. At startup, bash evaluates *and expands* ENV to
obtain the name of a startup file to use instead of .bashrc, and
faithfully executes /evil/command. This is particularly nasty since
sliplogin runs the login/logout scripts under the real and effective uid
of root in order to be able to manipulate network interfaces and routing
tables.

The fix in the new version of sliplogin is to clean out the entire
environment, and pass only a predefined PATH variable when running
slip.login or slip.logout.