Yes they can.
Shell is not needed to execute commands using the privileges of the user running the service.
Anyway - weakness in the service running under unprivileged user is used to gain access to local system and then that access is used to run a local root exploit(s) (which are more common than remote root exploits).
About detection - there is no universal and foolproof way. It helps to have syslog logging to remote machine and running stealth IDS systems between services and internet.
__________________
Fhtagn nagh Yog-Sothoth
|