Original release date: December 11, 2002<br> 
Last revised: Tue Dec 17 14:43:22 EST 2002<br>
Source: CERT/CC<br>

<p>A complete revision history can be found at the end of this file.</p>

<a name="affected"></a>
<h3>Systems Affected</h3>

<li>Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package installed</li>
<li>Sun Cobalt RaQ 3 Server Appliances running the RaQ 4 build with the Security Hardening Package installed</li>

<a name="overview"></a>

A remotely exploitable vulnerability has been discovered in <a
href="http://www.sun.com/hardware/serverappliances/">Sun Cobalt
RaQ Server Appliances</a> running Sun's <a
Hardening Package (SHP)</a>. Exploitation of this vulnerability may
allow remote attackers to execute arbitrary code with superuser

<a name="description"></a>
<h2>I. Description</h2>

Cobalt RaQ is a Sun Server Appliance. Sun provides a Security Hardening Package (SHP)
for Cobalt RaQs. Although the SHP is not installed by default, many users
choose to install it on their RaQ servers.

For background information on the SHP, please see the
RaQ 4 User Guide</a>.

A vulnerability in the SHP may allow a remote attacker to execute
arbitrary code on a Cobalt RaQ Server Appliance. The vulnerability
occurs in a cgi script that does not properly filter
input. Specifically,
<i>overflow.cgi</i> does not adequately filter input destined for the
<i>email</i> variable. Because of this flaw, an attacker can use a
POST request to fill the <i>email</i> variable with arbitrary
commands. The attacker can then call <i>overflow.cgi</i>, which will
allow the command the attacker filled the <i>email</i> variable with
to be executed with superuser privileges.


An exploit is publicly available and may be circulating.

Further information about this vulnerability may be found in <a
href="http://www.kb.cert.org/vuls/id/810921">VU#810921</a> in the <a href="http://www.kb.cert.org/vuls">CERT/CC
Vulnerability Notes Database</a>.

<a name="impact"></a>
<h2>II. Impact</h2>


A remote attacker may be able to execute arbitrary code on a Cobalt
RaQ Server Appliance with the SHP installed.

<br> <a name="solution"></a>
<h2>III. Solution</h2>

<h4>Apply a patch from your vendor</h4>

<a href="#vendors">Appendix A</a> contains information provided by
vendors for this advisory.  As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision
history.  If a particular vendor is not listed below, we have not received
their comments.  Please contact your vendor directly.

<a name="workarounds"></a>

Block access to the Cobalt RaQ administrative httpd server
(typically ports 81/TCP and 444/TCP) at your network perimeter. Note
that this will not protect vulnerable hosts within your network
perimeter. It is important to understand your network configuration
and service requirements before deciding what changes are appropriate.

<a name="caveats"></a>

<p>The patch supplied by Sun removes the SHP completely. If your
operation requires the use of the SHP, you may need to find a suitable

<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

<a name="sun"></a>
<h4>Sun Microsystems</h4>
Sun confirms that a remote root exploit does affect the Sun/Cobalt RaQ4 platform
if the SHP (Security Hardening Patch) patch was installed.<br>
Sun has released a Sun Alert which describes how to remove the SHP patch:<br>
&nbsp;&nbsp;&nbsp; <a
The removal patch is available from:<br>
<!-- end vendor -->

<a name="references">
<H2>Appendix B. - References</H2>


<li><a name="ref1">
<P>CERT/CC Vulnerability Note: VU#810921 - <A

<li><a name="ref2">
<P>Sun SHP RaQ 4 User Guide - <A

<li><a name="ref3">
<P>COBALT RaQ 4 User Manual - <A


<hr noshade>

<p>grazer@digit-labs.org publicly <A
this vulnerability.

<hr noshade>

<p>Author: <a
href="mailto:cert@cert.org?subject=CA-2002-35%20Feedback%20VU%23810921">Ian A. Finlay</a>.


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
December 11, 2002: Initial release
December 16, 2002: Added information stating RaQ 3 Server Appliances are vulnerable as well (with SHP installed)
December 16, 2002: Revised systems affected section