XXX: Need some more general bla bla here, and some history
There are various protocols that pass around addresses as part of the data stream. For instance, the FTP protocol's PORT command tells the server to open a data connection to the given IP address and port. According to the standard defining the FTP protocol, this connection must originate from port 20 on the FTP server. A subsequent RETR command, for instance, would instruct the server to use this connection to transfer the content of a file to this connection:
XXX: example session
Now assume that an attacker asks the server to connect to 127.0.0.1, port 513 which is the rlogin service port.
When you connect to an rlogin server using the rlogin command, it will bind to a port less than 1024, and send your login name to the server, and the name of the account to log in to. The server assumes the client side login name is okay because the connection originated from a privileged port, and only root is permitted to bind to these ports. Hence the connection must have been established by the rlogin command (obvious, isn't it?), and thus the name can safely be used in scanning the target user's .rhosts file. QED.
Now our FTP server comes along at connects to the rlogin port. This connection always originates on port 20,8.6 which is below 1024 incidentally. Making the FTP server send a data stream that pretends root is trying to log in is trivial.
This class of exploits is known as FTP bounce attacks, because they use the FTP server for ``bouncing'' requests to another host and service. The way to avoid this kind of problem is by making sure the address sent by the client is the same as the one the control connection originates from.