Zaurus Linux security hole
From: Foo Bar (firstname.lastname@example.org)
From: Foo Bar <email@example.com> Date: Sat, 08 Mar 2003 02:30:22 GMT
I am a new owner of the Zaurus 5500, I have just got the thing setup and
working with a CF wireless network. I am very impressed with the power and
flexabillity of the Zaurus. Having a small Linux computer is great.
And so I was appalled to discover that all the information stored in the
Zaurus is accessable to anyone without a password!
Even worse, root access and file overwrite is granted as well.
( see http://lists.insecure.org/isn/2002/Jul/0063.html )
It seems that the Zaurus ships with NO PASSWORD on the root account, and I
can find no way to set a password. I have tried 'passwd root' from the
command shell, but it has no effect.
The problem stems from the fact that syncing is done via FTP on port 4242 as
root user. This means that *anyone* on the network, wired or wireless can
FTP to your Zaurus and upload/download whatever they want.
I have heard of a ROM update from Sharp that simply removes the abillity to
sync over a network. I don't see this as a fix, but as a crippling of the
device. Even with the networking function removed, anyone who can plug in a
USB cable can still have all your data without a password.
The only sensible solution I can see is to SET A PASSWORD. It is hardly a
revolutionary idea to have a password for the root account, afterall.
I see this as the most serious flaw a device could ever have, and has made
me reconsider the wisdom of buying such devices.