The rwho/rwhod service is running, which exposes machine status and user information.

Command execution in Sun systems via buffer overflow in the at program.

Buffer overflow in AIX lquerylv program gives root access to local users.

Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.

Buffer overflow in AIX dtterm program for the CDE.

Buffer overflow in xlock program allows local users to execute commands as root.

Buffer overflow in NLS (Natural Language Service).

Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.

Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.

Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.

Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Local users can start Sendmail in daemon mode and gain root privileges.

Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.

Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.

Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.