When scp'ing files from a remote machine, the remote scp daemon can be modified to overwrite arbitrary files on the client side. Scp from ssh-1.2.30 and below is vulnerable. Proof of concept scp replacment included.
c83fdb97397307f495d1cef7e5ab8dc8f8740692dccebe8deaaee85d3f5a2fe1