Exploit:

   Some sshd 1.x/2.0 stupidities:
  ---------------------------------

  Unprivledged luser could create symlink in
  ~/.ssh (or ~/.sshd) to virtually any file -
  root's ~/.ssh entries, /dev/urandom or anything
  else. Sshd, during login attempt, but before any
  authorization, will happily read these files,
  ignoring ownership (yep, it's running at UID 0).
  Could be dangerous, could be not. But even if not,
  still allows some interesting DoSes from
  privledged UID.


                    Michal Zalewski [lcamtuf@ids.pl]