COMMAND    ncftp
SYSTEMS AFFECTED    Linux running ncftp 2.0.0 through 2.4.2
PROBLEM    Michal  Zalewski  found  following.   ncftp  2.4.2  has ability to
    automatic download of whole directories (get -R).   Unfortunately,
    when downloaded, directories are created using system() call.   So
    if  somewhere,  deeply  into  downloaded directory structure, lies
    directory called eg. "`touch GOTCHA`", given code will be executed
    without knowledge nor permission of victim.  Here's an ncftp 2.4.2
    remote exploit.   By the first,  you should create  evil directory
    somewhere, deeply into ftp server directory tree:
        [ftp@junk deeply]$ mkdir "\`echo -e \"echo + + >~\57.rhosts\">x;.  x;rm -f x\`"
    From now,  every attempt  of downloading  directory structure with
    recursive get (eg. "get  -R coolest_game_ever", that's one  of the
    most  popular  ncftp  features),  will  cause  remote execution of
    "echo + +>~/.rhosts".