Zaurus Linux security hole

From: Foo Bar (foo@bar.com)
Date: 03/08/03

  • Next message: PosterJoe: "Can anyone recommend some good books?"
    From: Foo Bar <foo@bar.com>
    Date: Sat, 08 Mar 2003 02:30:22 GMT
    
    

    I am a new owner of the Zaurus 5500, I have just got the thing setup and
    working with a CF wireless network. I am very impressed with the power and
    flexabillity of the Zaurus. Having a small Linux computer is great.

    And so I was appalled to discover that all the information stored in the
    Zaurus is accessable to anyone without a password!
    Even worse, root access and file overwrite is granted as well.
              ( see http://lists.insecure.org/isn/2002/Jul/0063.html )

    It seems that the Zaurus ships with NO PASSWORD on the root account, and I
    can find no way to set a password. I have tried 'passwd root' from the
    command shell, but it has no effect.

    The problem stems from the fact that syncing is done via FTP on port 4242 as
    root user. This means that *anyone* on the network, wired or wireless can
    FTP to your Zaurus and upload/download whatever they want.

    I have heard of a ROM update from Sharp that simply removes the abillity to
    sync over a network. I don't see this as a fix, but as a crippling of the
    device. Even with the networking function removed, anyone who can plug in a
    USB cable can still have all your data without a password.

    The only sensible solution I can see is to SET A PASSWORD. It is hardly a
    revolutionary idea to have a password for the root account, afterall.

    I see this as the most serious flaw a device could ever have, and has made
    me reconsider the wisdom of buying such devices.


  • Next message: PosterJoe: "Can anyone recommend some good books?"