CERT® Advisory CA-2002-35 Vulnerability in RaQ Server AppliancesOriginal release date: December 11, 2002
Last revised: Tue Dec 17 14:43:22 EST 2002
A complete revision history can be found at the end of this file.
OverviewA remotely exploitable vulnerability has been discovered in Sun Cobalt RaQ Server Appliances running Sun's Security Hardening Package (SHP). Exploitation of this vulnerability may allow remote attackers to execute arbitrary code with superuser privileges.
Cobalt RaQ is a Sun Server Appliance. Sun provides a Security Hardening Package (SHP) for Cobalt RaQs. Although the SHP is not installed by default, many users choose to install it on their RaQ servers. For background information on the SHP, please see the SHP RaQ 4 User Guide.
A vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a Cobalt RaQ Server Appliance. The vulnerability occurs in a cgi script that does not properly filter input. Specifically, overflow.cgi does not adequately filter input destined for the email variable. Because of this flaw, an attacker can use a POST request to fill the email variable with arbitrary commands. The attacker can then call overflow.cgi, which will allow the command the attacker filled the email variable with to be executed with superuser privileges.
An exploit is publicly available and may be circulating.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.
WorkaroundsBlock access to the Cobalt RaQ administrative httpd server (typically ports 81/TCP and 444/TCP) at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.
The patch supplied by Sun removes the SHP completely. If your operation requires the use of the SHP, you may need to find a suitable alternative.
Appendix A. - Vendor Information
Sun MicrosystemsSun confirms that a remote root exploit does affect the Sun/Cobalt RaQ4 platform if the SHP (Security Hardening Patch) patch was installed.
Sun has released a Sun Alert which describes how to remove the SHP patch:
The removal patch is available from:
Appendix B. - References
email@example.com publicly reported this vulnerability.
Author: Ian A. Finlay.
This document is available from: http://www.cert.org/advisories/CA-2002-35.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
December 11, 2002: Initial release December 16, 2002: Added information stating RaQ 3 Server Appliances are vulnerable as well (with SHP installed) December 16, 2002: Revised systems affected section