Command execution in Sun systems via buffer overflow in the at program.

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

root privileges via buffer overflow in xlock command on SGI IRIX systems.

root privileges via buffer overflow in login/scheme command on SGI IRIX systems.

root privileges via buffer overflow in eject command on SGI IRIX systems.

root privileges via buffer overflow in df command on SGI IRIX systems.

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.

Buffer overflow in statd allows root privileges.

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Unauthorized privileged access or denial of service via dtappgather program in CDE.

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Buffer overflow in NIS+, in Sun's rpc.nisd program.

Arbitrary command execution via IMAP buffer overflow in authenticate command.

Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.