Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

NFS cache poisoning.

Buffer overflow of rlogin program using TERM environmental variable.

Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.

Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.

Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.