Sun ≫ Sunos

The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.

The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.

The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.

Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument.

Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.

DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.

The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.

sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.

Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).