Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen.

Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname.

The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly before 2.4, start a privileged shell on the system console if fsck fails while the system is booting, which allows attackers with physical access to gain root privileges.

The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.

Buffer overflow in Solaris dtprintinfo program.

Vacation program allows command execution by remote users through a sendmail command.

Buffer overflow in Sun's ping program can give root access to local users.

NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.

Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.

NFS cache poisoning.

The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.

An SNMP community name is the default (e.g. public), null, or missing.

The WorkMan program can be used to overwrite any file to get root access.