The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.

Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.

finger .@host on some systems may print information on some user accounts.

finger 0@host on some systems may print information on some user accounts.

Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.

Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.

The passwd command in Solaris can be subjected to a denial of service.

In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.

In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.

Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.

in.rshd allows users to login with a NULL username and execute commands.

Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.

The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.

The Webgais program allows a remote user to execute arbitrary commands.

FormMail CGI program allows remote execution of commands.

Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.

NFS allows attackers to read and write any file on the system by specifying a false UID.

The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have tak...

NFS cache poisoning.

In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.

Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.

The ghostscript command with the -dSAFER option allows remote attackers to execute commands.