SUN : Security Vulnerabilities, CVEs, CVSS score between 7 and 7.99

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Command execution in Sun systems via buffer overflow in the at program.

Buffer overflow in xlock program allows local users to execute commands as root.

Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.

Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Buffer overflows in Sun libnsl allow root access.

Buffer overflow in Sun's ping program can give root access to local users.

Vacation program allows command execution by remote users through a sendmail command.

Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.

Solaris ufsrestore buffer overflow.

Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.

Buffer overflow in ffbconfig in Solaris 2.5.1.

Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.

vold in Solaris 2.x allows local users to gain root access.

admintool in Solaris allows a local user to write to arbitrary files and gain root access.

Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.

Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.

The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.

In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.

The passwd command in Solaris can be subjected to a denial of service.

Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.