Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.
Buffer overflows in Sun libnsl allow root access.
Solaris ufsrestore buffer overflow.
Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.
Buffer overflow in ffbconfig in Solaris 2.5.1.
Command execution in Sun systems via buffer overflow in the at program.
The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.
Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.
Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel.
Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Zone Framework.
Unspecified vulnerability in the multi-language environment library (libmle) in Solaris 7 and 8, as shipped with the Japanese locale, allows local users to gain privileges via unknown attack vectors.
Sun Chili!Soft ASP has weak permissions on various configuration files, which allows a local attacker to gain additional privileges and create a denial of service.
Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.
Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute arbitrary code via a long TZ (timezone) environmental variable, a different vulnerability than CAN-2002-0093.
Buffer overflow in ptexec in the Sun Validation Test Suite 4.3 and earlier allows a local user to gain privileges via a long -o argument.
Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname.
Buffer overflow in Xsun X server in Solaris 7 allows local users to gain root privileges via a long -dev parameter.
Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges.
SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.
The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.
Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.
aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.
Buffer overflow in uum program for Canna input system allows local users to gain root privileges.
Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Gnome Trusted Extension.
Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.
In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.
The WorkMan program can be used to overwrite any file to get root access.
The passwd command in Solaris can be subjected to a denial of service.
Buffer overflow in Solaris fdformat command gives root access to local users.
Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.
Buffer overflow in Sun's ping program can give root access to local users.
Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management.
Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Installer.
Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument.
Buffer overflow in the LDAP naming services library (libsldap) in Sun Solaris 8 allows local users to execute arbitrary code via a long LDAP_OPTIONS environment variable to a privileged program that uses libsldap.
Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 allows local users to gain privileges via a long "arg0" (process name) argument.
Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allows local users to gain privileges via a long command line argument.
The installation of Sun Internet Mail Server (SIMS) creates a world-readable file that allows local users to obtain passwords.
Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option.
SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.
Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management Utility.
Unspecified vulnerability in the kernel in Sun Solaris 10 and OpenSolaris 2009.06 on the x86-64 platform allows local users to gain privileges via unknown vectors, as demonstrated by the vd_sol_local module in VulnDisco Pack Professional 8.12. NOTE: as of 20091203, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via vectors related to Kernel/X86.
Heap-based buffer overflow in w in Sun Solaris 8 through 10, and OpenSolaris before snv_124, allows local users to gain privileges via unspecified vectors.
Multiple unspecified vulnerabilities in the (1) iscsiadm and (2) iscsitadm programs in Sun Solaris 10, and OpenSolaris snv_28 through snv_109, allow local users with certain RBAC execution profiles to gain privileges via unknown vectors related to the libima library.
Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors.
Unspecified vulnerability in txzonemgr in Sun OpenSolaris has unknown impact and local attack vectors, related to a "Temporary file vulnerability," aka Bug ID 6653462.
Unspecified vulnerability in the root/boot archive tool in Sun OpenSolaris has unknown impact and local attack vectors, related to a "Temporary file vulnerability," aka Bug ID 6653455.