COMMAND

    ncftp

SYSTEMS AFFECTED

    Linux running ncftp 2.0.0 through 2.4.2

PROBLEM

    Michal  Zalewski  found  following.   ncftp  2.4.2  has ability to
    automatic download of whole directories (get -R).   Unfortunately,
    when downloaded, directories are created using system() call.   So
    if  somewhere,  deeply  into  downloaded directory structure, lies
    directory called eg. "`touch GOTCHA`", given code will be executed
    without knowledge nor permission of victim.  Here's an ncftp 2.4.2
    remote exploit.   By the first,  you should create  evil directory
    somewhere, deeply into ftp server directory tree:

        [ftp@junk deeply]$ mkdir "\`echo -e \"echo + + >~\57.rhosts\">x;.  x;rm -f x\`"

    From now,  every attempt  of downloading  directory structure with
    recursive get (eg. "get  -R coolest_game_ever", that's one  of the
    most  popular  ncftp  features),  will  cause  remote execution of
    "echo + +>~/.rhosts".

SOLUTION

    Replace system() call in Util.h with mkdir() or simply apply a new
    version of NcFTP (2.4.3) released  on March 19th which fixes  this
    bug.  It's available from:

        ftp.ncftp.com/pub/ncftp
        http://www.ncftp.com/download/

    Not vulnerable are ncftp versions 1.0 (circa 1992) through  1.9.5,
    but may have other problems,  2.4.3, 3.0 (beta) and NcFTPGet  (all
    versions)