Sun reports that a unprivileged user may be able to execute arbitrary commands with the permissions of the sadmind(1M) daemon on Solaris systems which have sadmind(1M) enabled in inetd.conf(4).
"The sadmind(1M) daemon normally runs with "root" (uid 0) privileges. If the sadmind(1M) daemon is utilizing the default security level authentication mechanism of AUTH_SYS (see secure_rpc(3NSL)), users may be able to forge AUTH_SYS credentials."
The operating systems affected are: Sun Solaris 9, Sun Solaris 8 and Sun Solaris 7.
More information is found at