Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program.

snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a.

Buffer overflows in Sun libnsl allow root access.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack.

Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system.

Various vulnerabilities in the AIX portmir command allows local users to obtain root access.

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).