Buffer overflows in Sun libnsl allow root access.

Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters.

A Unix account has a default, null, blank, or missing password.

Solaris volrmmount program allows attackers to read any file.

Buffer overflow in SGI IRIX mailx program.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

DNS cache poisoning via BIND, by predictable query IDs.

ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i.

The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.

Buffer overflow in Solaris fdformat command gives root access to local users.

Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.