The harsh reality is, you're safer
having someone go through the motions of a single mode boot to fix the password however, even with a single boot, I don't believe they'd be able to get far under certain conditions... Is PROM protected? If so, I *do* hope that password is remembered.
Now, you stated that the password entry for root is borked, and while this is fixable, a lost PROM password is a whole "nother" ballgame. So do you know if "security-mode" is set to full on PROM if so, then you'll have to make sure whomever is booting into single mode knows this and knows the password for getting past the PROM.
Again, to be on the safe side, you'd be safer to get someone to go through the motions (boot -s) however, make sure you have all the information down to a science (supplied them with all the credentials, etc.) otherwise the longer that server is down, the more money you potentially lose. If you do want to keep on trying local exploits, you can try the linked local exploits for Solaris. Again, use those and ANY exploit at your own risk.http://www.exploit-db.com/exploits/1182/http://www.exploit-db.com/exploits/715/
I had a similar scenario last week with a FreeBSD 8.1 box I deployed to do flow-analysis. I created the machine for a client to run tshark, etc and SCP over the files to me on an hourly basis for analysis. The client supplied the server, I installed and scripted some tools and I created the password based on what the client wanted... Guess what? He lost the password and there was NO ONE around to boot into single mode for me. The machine itself was in another state and NOT a NOC where I would have had someone to do anything for me. Lo-and-behold one of kingcope's local exploits came in handy for me. From $USER to root in less than 10 minutes (about 8 were spent shmoozing via email and searching).
Anyway, my rambling is besides the point I guess... You're better off having someone ON-SITE do any changes to be on the safer side. I'd suggest having them perform these changes as late (non-used hours) as possible and enforce this. I've seen NOC's and their engineers say "sure... at 3AM alright", then turn around 15 minutes later. Your SLA is king
Also, if possible you'd want to know WHO would be making the changes (booting into single) beforehand so you can walk through the motions with them either via email or on the phone. This ensures (as best as possible) that someone with a clue is going to make the change.