Linux running ncftp 2.0.0 through 2.4.2


    Michal  Zalewski  found  following.   ncftp  2.4.2  has ability to
    automatic download of whole directories (get -R).   Unfortunately,
    when downloaded, directories are created using system() call.   So
    if  somewhere,  deeply  into  downloaded directory structure, lies
    directory called eg. "`touch GOTCHA`", given code will be executed
    without knowledge nor permission of victim.  Here's an ncftp 2.4.2
    remote exploit.   By the first,  you should create  evil directory
    somewhere, deeply into ftp server directory tree:

        [ftp@junk deeply]$ mkdir "\`echo -e \"echo + + >~\57.rhosts\">x;.  x;rm -f x\`"

    From now,  every attempt  of downloading  directory structure with
    recursive get (eg. "get  -R coolest_game_ever", that's one  of the
    most  popular  ncftp  features),  will  cause  remote execution of
    "echo + +>~/.rhosts".


    Replace system() call in Util.h with mkdir() or simply apply a new
    version of NcFTP (2.4.3) released  on March 19th which fixes  this
    bug.  It's available from:

    Not vulnerable are ncftp versions 1.0 (circa 1992) through  1.9.5,
    but may have other problems,  2.4.3, 3.0 (beta) and NcFTPGet  (all