Buffer overflow in socks5 server on Linux allows attackers to execute arbitrary commands via a long connection request.
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.
ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.
Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.
Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.
Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.
Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.
rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.
The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.
Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.
Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.
DNS cache poisoning via BIND, by predictable query IDs.