Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (PDA)  >   Zaurus Vendors:   Sharp
Sharp Zaurus PDA Includes an FTP Server That Does Not Require Authentication for Write Access With Root Privileges
SecurityTracker Alert ID:  1004750
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 12 2002
Impact:   Disclosure of authentication information, Modification of system information, Modification of user information, Root access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): SL-5000D, SL-5500
Description:   Several vulnerabilities were reported in Sharp's Zaurus PDA device. A remote user can obtain full control of the file system. A remote user can determine the passcode needed to lock the device.

Researchers from Syracuse University reported that Sharp Zaurus models SL-5000D and SL-5500 use a built in FTP server on port 4242. On certain versions, the FTP daemon binds to all network interfaces, including wireless network interfaces. A remote user can gain access via the FTP service to write files on the system with root privileges. The FTP service reportedly does not authenticate the user and the Zaurus has no root password by default.

It is also reported that a user with access to the '/home/root/Settings/Security.conf' file can determine the appropriate passcode to lock the device. The passcode can be supplied to lock the Zaurus so that no data can be input via the keypad or touch screen.

The vendor has reportedly been notified.

Impact:   A remote user can write to the file system with root privileges. A remote user can also determine the passcode needed to lock the PDA.
Solution:   No solution was available at the time of this entry.

A user reports that the latest version of the ROM firmware binds the FTP server to only the USB network interface.

Vendor URL:,1056,112,00.html (Links to External Site)
Cause:   Authentication error

Message History:   None.

 Source Message Contents

Subject:  Multiple Security Vulnerabilities in Sharp Zaurus

Hash: SHA1

  Syracuse University Research for Understanding Aspects of the Zaurus
                  Security Advisory SURUAZ-2002-07-07
                      Center for Systems Assurance


The Sharp(R) Zaurus(tm) SL-5000D and SL-5500 have multiple security
vulnerabilities in design and implementation that affect system

The first vulnerability gives a remote attacker full control of the
Zaurus filesystem, including the ability to overwrite files and/or
programs with trojans.

The second vulnerability affects the Zaurus passcode function, which
locks the Zaurus so that no data can be input via the keypad and touch


Vulnerability 1:  Remote filesystem access

The Sharp(R) Zaurus(tm) SL-5000D and SL-5500 handhelds use FTP for
performing sync operations with a PC.  The FTP daemon on both Zaurus
models is built into QPE, the default windowing system for the units, on
port 4242.  The daemon binds to all network interfaces on the Zaurus,
including any wireless network or PPP interfaces.

This FTP service gives any remote user access to the Zaurus filesystem
as root, via any network interface.  Setting the root password on the
Zaurus has no effect, as the FTP daemon does not actually authenticate
the user.  By default, the Zaurus has no root password.

Vulnerability 2:  Passcode

The Zaurus stores the screen-locking passcode in the file
/home/root/Settings/Security.conf.  The passcode program uses the same
salt value every time the passcode is set: A0.  Knowing this, a cracker
can generate a passcode table approximately 4G in size, which can be
used to look up the passcode given the file Security.conf.


Vulnerability 1:  Remote filesystem access

Zaurus users who use ethernet or PPP to attach to a network should
either discontinue use of QPE or place themselves behind a firewal until
a patch for QPE is released.

Vulnerability 2:  Passcode

This issue is larger than it sounds.  Changing the passcode utility so
that it does a crypt() call on plaintext passcode, using a new salt
value each time, is difficult because the Zaurus generates very little
random number data.

Only interrupts from the keyboard and front buttons call
add_interrupt_randomness() in the kernel.  Screen taps do not, nor do
CompactFlash events.  Many users will only input via the screen, using
handwriting recognition or the built-in software keyboard.  Changing the
interrupt handler for the screen to call add_interrupt_randomness()
should add sufficient entropy to the random number pool to generate a
sufficiently random salt on the fly.

Sharp Support has been notified of both issues and responded 7 June 2002
with, "We have passed this information on to the engineers who have been
working on that issue."


Dr. Steve Chapin <>
Douglas F. Calvert <>
David Walter <>
K. Reid Wightman <>
Niranjan Sivakumar <>
Version: GnuPG v1.0.7 (GNU/Linux)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC