The version of arp(8c) which shipped with versions of SunOs 4.1.X could be used to dump system memory by using the -f flag. This flag causes the file filename to be read and multiple entries to be set in the ARP tables. However, in this instance because of poor permission sets on /dev/kmem a user can specify the file to be read as /dev/kmem and therefore gain a dump of currently paged system memory. This could lead to a root compromise.
$ arp -f /dev/kmem | strings > mem