You can also drop (almost) any executable in place of explorer.exe, it's the basis of Windows Server "Core".
It has both good and bad sides, and the same (basic) thing is exploitable on linux. You can replace `cat` with another executable and change the PATH so that the new `cat` comes first.
/tmp/cat
PATH=/tmp:$PATH
edit: I'm aware that this does not give root privilege (though it could, through some SUID hack or cowroot or anything really), but it is the same basic "flaw". (again, though it isn't really a flaw)
I think the Linux equivalent would be more like interrupting the boot process at the GRUB menu, then adding "init=/bin/sh" onto the kernel command line, so Linux boots into a root shell.
Not really. In any Linux system I've seen,if you can change PATH you can already execute your /tmp/cat directly. And generally PATH and LD_LIBRARY_PATH are not passed through suid or sudo.
It has both good and bad sides, and the same (basic) thing is exploitable on linux. You can replace `cat` with another executable and change the PATH so that the new `cat` comes first.
edit: I'm aware that this does not give root privilege (though it could, through some SUID hack or cowroot or anything really), but it is the same basic "flaw". (again, though it isn't really a flaw)