COMMAND

	Sharp Zaurus compromise via weak passwords and open FTP

SYSTEMS AFFECTED

	Sharp Zaurus SL-5000D and SL-5500

PROBLEM

	In Syracuse University Research for Understanding Aspects of the  Zaurus
	security advisory [SURUAZ-2002-07-07] [http://www.csa.syr.edu],  credits
	to  Dr.  Steve   Chapin   [chapin@ecs.syr.edu],   Douglas   F.   Calvert
	[dfc@anize.org],  David  Walter  [dwalter@syr.edu],  K.  Reid   Wightman
	[krwightm@syralumni.org], Niranjan Sivakumar [nsivakum@syr.edu] :
	

	

	 Remote filesystem access

	 ========================

	

	The Sharp(R) Zaurus(tm) SL-5000D  and  SL-5500  handhelds  use  FTP  for
	performing sync operations with a PC. The  FTP  daemon  on  both  Zaurus
	models is built into QPE, the default windowing system  for  the  units,
	on port 4242. The daemon binds to all network interfaces on the  Zaurus,
	including any wireless network or PPP interfaces.
	

	This FTP service gives any remote user access to the  Zaurus  filesystem
	as root, via any network interface. Setting the  root  password  on  the
	Zaurus has no effect, as the FTP daemon does not  actually  authenticate
	the user.  By default, the Zaurus has no root password.
	

	

	 Passcode

	 ========

	

	The  Zaurus   stores   the   screen-locking   passcode   in   the   file
	/home/root/Settings/Security.conf. The passcode program  uses  the  same
	salt value every time the passcode is set: A0. Knowing this,  a  cracker
	can generate a passcode table approximately 4G in  size,  which  can  be
	used to look up the passcode given the file Security.conf.

SOLUTION

	Workarounds:
	 

	 Remote filesystem access

	 ========================

	

	Zaurus users who use ethernet or PPP  to  attach  to  a  network  should
	either discontinue use of QPE  or  place  themselves  behind  a  firewal
	until a patch for QPE is released.
	

	Stephen Harris, adds : According to
	

	http://www.linuxjournal.com/article.php?sid=5902

	

	At least, the latest version of the ROM makes the FTP server  open  only
	on the USB network interface. Document is dated Jul 2, 2002. My  ROM  is
	2.12 (machine was bought on July 9!) and if I try  to  connect  to  port
	4242 over wireless network the connection is terminated immediately.
	

	

	 Passcode

	 ========

	

	This issue is larger than it sounds. Changing the  passcode  utility  so
	that it does a crypt() call on plaintext  passcode,  using  a  new  salt
	value each time, is difficult because the Zaurus generates  very  little
	random number data.
	

	Only   interrupts   from   the   keyboard   and   front   buttons   call
	add_interrupt_randomness() in the kernel. Screen taps  do  not,  nor  do
	CompactFlash events. Many users will only input via  the  screen,  using
	handwriting recognition or the built-in software keyboard. Changing  the
	interrupt handler for  the  screen  to  call  add_interrupt_randomness()
	should add sufficient entropy to the random number pool  to  generate  a
	sufficiently random salt on the fly.