Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges.

libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.

Sun's ftpd daemon can be subjected to a denial of service.

Buffer overflow in NIS+, in Sun's rpc.nisd program.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Buffer overflows in Sun libnsl allow root access.

Solaris ufsrestore buffer overflow.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.

Buffer overflow in SGI IRIX mailx program.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Buffer overflow in statd allows root privileges.

Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).