Solaris ff.core allows local users to modify files.

The passwd command in Solaris can be subjected to a denial of service.

Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

Vacation program allows command execution by remote users through a sendmail command.

CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.

Buffer overflow in Sun's ping program can give root access to local users.

Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.

Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Solaris SUNWadmap can be exploited to obtain root access.

Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges.

cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key.

NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Buffer overflows in Sun libnsl allow root access.

Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.

Solaris volrmmount program allows attackers to read any file.