Zaurus Linux security hole

From: Foo Bar (foo@bar.com)
Date: 03/08/03

Next message: PosterJoe: "Can anyone recommend some good books?"

Previous message: Bill Unruh: "Re: End of all Open Source."
Next in thread: Colonel Sam Flagg, U.S. Army Intelligence: "Re: Zaurus Linux security hole"
Reply: Colonel Sam Flagg, U.S. Army Intelligence: "Re: Zaurus Linux security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Foo Bar <foo@bar.com>
Date: Sat, 08 Mar 2003 02:30:22 GMT

I am a new owner of the Zaurus 5500, I have just got the thing setup and
working with a CF wireless network. I am very impressed with the power and
flexabillity of the Zaurus. Having a small Linux computer is great.

And so I was appalled to discover that all the information stored in the
Zaurus is accessable to anyone without a password!
Even worse, root access and file overwrite is granted as well.
( see http://lists.insecure.org/isn/2002/Jul/0063.html )

It seems that the Zaurus ships with NO PASSWORD on the root account, and I
can find no way to set a password. I have tried 'passwd root' from the
command shell, but it has no effect.

The problem stems from the fact that syncing is done via FTP on port 4242 as
root user. This means that *anyone* on the network, wired or wireless can
FTP to your Zaurus and upload/download whatever they want.

I have heard of a ROM update from Sharp that simply removes the abillity to
sync over a network. I don't see this as a fix, but as a crippling of the
device. Even with the networking function removed, anyone who can plug in a
USB cable can still have all your data without a password.

The only sensible solution I can see is to SET A PASSWORD. It is hardly a
revolutionary idea to have a password for the root account, afterall.

I see this as the most serious flaw a device could ever have, and has made
me reconsider the wisdom of buying such devices.

Next message: PosterJoe: "Can anyone recommend some good books?"

Previous message: Bill Unruh: "Re: End of all Open Source."
Next in thread: Colonel Sam Flagg, U.S. Army Intelligence: "Re: Zaurus Linux security hole"
Reply: Colonel Sam Flagg, U.S. Army Intelligence: "Re: Zaurus Linux security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Multiple Security Vulnerabilities in Sharp Zaurus
... The FTP daemon on both Zaurus ... The daemon binds to all network interfaces on the Zaurus, ...
(Bugtraq)
RE: Multiple Security Vulnerabilities in Sharp Zaurus
... I just updated to the latest ROM last night. ... Multiple Security Vulnerabilities in Sharp Zaurus ... The daemon binds to all network interfaces on the Zaurus, ... I haven't tried to connect via USB yet. ...
(Bugtraq)
Re: Zaurus Linux security hole
... > working with a CF wireless network. ... > flexabillity of the Zaurus. ... > It seems that the Zaurus ships with NO PASSWORD on the root account, ... > FTP to your Zaurus and upload/download whatever they want. ...
(alt.computer.security)
Re: [opensuse] Should openSUSE review its Security Policies?
... security policies in openSUSE for things that require the root ... Adding a wireless network. ... KDE3has never asked the root password for adding a new ...
(SuSE)
RE: should i bother??
... > (network address translation from a public IP to a private network is always advised here) ... certain outgoing ports on the firewall at work. ... I run root kit hunter as a daily cron job. ... > Strong passwords of random letters, with at least two numbers and two special characters for all accounts, definately root. ...
(Fedora)