2052.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2052

--
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability in Sun Cobalt RaQ server appliances.

--
Impact:
Execution of code and possible root compromise of the system.

--
Detailed Information:
A vulnerability in the security hardening package for Sun Cobalt RaQ 4 
and RaQ 3 running RaQ 4 does not filter user input to the email variable
in the overflow.cgi script correctly.

POST requests to the script may contain code in the email variable which
will then be processed with the privilege of the super user on the 
system.

--
Affected Systems:
Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package 
installed
Sun Cobalt RaQ 3 Server Appliances running the RaQ 4 build with the 
Security Hardening Package installed

--
Attack Scenarios:
An attacker can supply his own POST request to the overflow.cgi script 
that contains code he wishes to run.

An exploit is also available.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Apply the appropriate vendor fixes.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CERT:
http://www.kb.cert.org/vuls/id/810921
http://www.cert.org/advisories/CA-2002-35.html

--