Buffer overflows in Sun libnsl allow root access.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

Solaris volrmmount program allows attackers to read any file.

Buffer overflow in SGI IRIX mailx program.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

DNS cache poisoning via BIND, by predictable query IDs.

Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.

NFS cache poisoning.

The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.

The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.

/usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs.

SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.