You can also drop (almost) any executable in place of explorer.exe, it's the basis of Windows Server "Core".

It has both good and bad sides, and the same (basic) thing is exploitable on linux. You can replace `cat` with another executable and change the PATH so that the new `cat` comes first.

   /tmp/cat
   PATH=/tmp:$PATH

edit: I'm aware that this does not give root privilege (though it could, through some SUID hack or cowroot or anything really), but it is the same basic "flaw". (again, though it isn't really a flaw)