Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.

Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter.

The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.

The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.

The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.

Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.

The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.

rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.

In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

Solaris ff.core allows local users to modify files.

rpc.admind in Solaris is not running in a secure mode.

The passwd command in Solaris can be subjected to a denial of service.

Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

Buffer overflow in Solaris kcms_configure command allows local users to gain root access.

Vacation program allows command execution by remote users through a sendmail command.

Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.

Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges.

Sun's ftpd daemon can be subjected to a denial of service.