|
COMMAND Sharp Zaurus compromise via weak passwords and open FTP SYSTEMS AFFECTED Sharp Zaurus SL-5000D and SL-5500 PROBLEM In Syracuse University Research for Understanding Aspects of the Zaurus security advisory [SURUAZ-2002-07-07] [http://www.csa.syr.edu], credits to Dr. Steve Chapin [chapin@ecs.syr.edu], Douglas F. Calvert [dfc@anize.org], David Walter [dwalter@syr.edu], K. Reid Wightman [krwightm@syralumni.org], Niranjan Sivakumar [nsivakum@syr.edu] : Remote filesystem access ======================== The Sharp(R) Zaurus(tm) SL-5000D and SL-5500 handhelds use FTP for performing sync operations with a PC. The FTP daemon on both Zaurus models is built into QPE, the default windowing system for the units, on port 4242. The daemon binds to all network interfaces on the Zaurus, including any wireless network or PPP interfaces. This FTP service gives any remote user access to the Zaurus filesystem as root, via any network interface. Setting the root password on the Zaurus has no effect, as the FTP daemon does not actually authenticate the user. By default, the Zaurus has no root password. Passcode ======== The Zaurus stores the screen-locking passcode in the file /home/root/Settings/Security.conf. The passcode program uses the same salt value every time the passcode is set: A0. Knowing this, a cracker can generate a passcode table approximately 4G in size, which can be used to look up the passcode given the file Security.conf. SOLUTION Workarounds: Remote filesystem access ======================== Zaurus users who use ethernet or PPP to attach to a network should either discontinue use of QPE or place themselves behind a firewal until a patch for QPE is released. Stephen Harris, adds : According to http://www.linuxjournal.com/article.php?sid=5902 At least, the latest version of the ROM makes the FTP server open only on the USB network interface. Document is dated Jul 2, 2002. My ROM is 2.12 (machine was bought on July 9!) and if I try to connect to port 4242 over wireless network the connection is terminated immediately. Passcode ======== This issue is larger than it sounds. Changing the passcode utility so that it does a crypt() call on plaintext passcode, using a new salt value each time, is difficult because the Zaurus generates very little random number data. Only interrupts from the keyboard and front buttons call add_interrupt_randomness() in the kernel. Screen taps do not, nor do CompactFlash events. Many users will only input via the screen, using handwriting recognition or the built-in software keyboard. Changing the interrupt handler for the screen to call add_interrupt_randomness() should add sufficient entropy to the random number pool to generate a sufficiently random salt on the fly.