NFS used to be one of the most popular ways to break into machines on the 1990s Internet. Leendert van Doorn wrote a CLI for NFS that was modified with a bunch of different exploits and passed around among hackers. Everyone who attacked Unix systems in (say) 1995 had a copy of NFS shell.
I wrote one myself. Fun things: 'int getuid() { return 0; }' in the userland code was sufficient for authentication. And the mountd returned the root handle of the file system. When you presented that handle to nfsd it would happily serve you even when you are no longer in the exports table.
