Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges.

libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.

Sun's ftpd daemon can be subjected to a denial of service.

Buffer overflow in NIS+, in Sun's rpc.nisd program.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Buffer overflows in Sun libnsl allow root access.

Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters.

A Unix account has a default, null, blank, or missing password.

The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.

Solaris volrmmount program allows attackers to read any file.

Buffer overflow in SGI IRIX mailx program.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.

DNS cache poisoning via BIND, by predictable query IDs.

ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i.