Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Delete or create a file via rpc.statd, due to invalid information.

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.

passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument.

Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.

Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.

The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.