Root privileges can be obtained by user nobody with uid 65535 by exploiting a problem with /usr/bin/rcp. Many applications are running as 'nobody', in particular the NCSA httpd server, which by default executes all cgi-bin scripts under this uid.