Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.

The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.

Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash.