Zaurus Bugs Put Corporate Networks at Risk

Researchers at Syracuse University have found multiple bugs in Sharp’s
Zaurus SL-5000D and SL-5500 handheld devices that puts corporate networks at
risk.

A warning from the school’s Center for
Systems Assurance said the bugs would allow a remote attacker to take
full control of the Zaurus file system, including the ability to overwrite
files and/or programs with Trojans.

The researchers also found a second vulnerability that affects the Zaurus
passcode function, which locks the Zaurus so that no data can be input via
the keypad and touch screen.

The suspect handhelds use FTP for synching operations and the SU team found
that the FTP daemon on both Zaurus units was built into QPE, the default
windowing system for the units, on port 4242. The daemon binds to all
network interfaces on the Zaurus, including any wireless network or PPP
interfaces.

“This FTP service gives any remote user access to the Zaurus filesystem
as root, via any network interface. Setting the root password on the
Zaurus has no effect, as the FTP daemon does not actually authenticate
the user. By default, the Zaurus has no root password,” it said.

The screen-locking passwords are stored in the file
/home/root/Settings/Security.conf and the security alert noted that the
passcode program uses the same salt value every time the passcode is set:
A0. “Knowing this, a cracker can generate a passcode table approximately 4G
in size, which can be used to look up the passcode given the file
Security.conf,” it warned.

It said Sharp’s support team had been notified of both vulnerabilities and
promised a fix. In the meantime, the school’s researchers urged Zaurus users
who use ethernet or PPP to attach to a network to either discontinue use of
QPE or place themselves behind a firewall until a patch for QPE is released.