xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access.

Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.

Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access.

Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access.

Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access.

Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access.

SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable.