abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via...
Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.
Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.
IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.