IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.

Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.

abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program.

Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations.

rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter.

rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Race condition in Linux mailx command allows local users to read user files.

Buffer overflow in Linux splitvt command gives root access to local users.

vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.

Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.

Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.

Livingston portmaster machines could be rebooted via a series of commands.

Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".

The ghostscript command with the -dSAFER option allows remote attackers to execute commands.

A race condition in the Solaris ps command allows an attacker to overwrite critical files.

SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.

In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.