Exploit of a major hole in procfs under FreeBSD 2.2.1 along with OpenBSD. The problem is all proc/#/mem access is controlled by the permissions on the file. This means you can fork() open the childs mem device and then have the child execute a setuid exec