Exploit:

  There is a bug in sshd allowing non-root users
  to redirect priviliged ports.
  adding a line like:

        LocalForward 80 remotehost:80

  to your $HOME/.ssh/config will forward a
  priviliged port to a remote port, without
  needing root.