Buffer overflow in Sun's ping program can give root access to local users.

SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.

Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Sun's ftpd daemon can be subjected to a denial of service.

Buffer overflow in NIS+, in Sun's rpc.nisd program.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Buffer overflows in Sun libnsl allow root access.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.

Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.

nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.

DNS cache poisoning via BIND, by predictable query IDs.

Buffer overflow in SunOS/Solaris ps command.