Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow malicious users to gain root privileges.
openbsd openssh 4.5