IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.

Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow attackers to cause a core dump and possibly execute arbitrary code via "long input strings."

(1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack.

Buffer overflows in Sun libnsl allow root access.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd.

sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack.