Researchers at Syracuse University have found multiple bugs in Sharp’s Zaurus SL-5000D and SL-5500 handheld devices that puts corporate networks at risk.
A warning from the school’s Center for Systems Assurance said the bugs would allow a remote attacker to take full control of the Zaurus file system, including the ability to overwrite files and/or programs with Trojans.
The researchers also found a second vulnerability that affects the Zaurus passcode function, which locks the Zaurus so that no data can be input via the keypad and touch screen.
The suspect handhelds use FTP for synching operations and the SU team found that the FTP daemon on both Zaurus units was built into QPE, the default windowing system for the units, on port 4242. The daemon binds to all network interfaces on the Zaurus, including any wireless network or PPP interfaces.
“This FTP service gives any remote user access to the Zaurus filesystem as root, via any network interface. Setting the root password on the Zaurus has no effect, as the FTP daemon does not actually authenticate the user. By default, the Zaurus has no root password,” it said.
The screen-locking passwords are stored in the file /home/root/Settings/Security.conf and the security alert noted that the passcode program uses the same salt value every time the passcode is set: A0. “Knowing this, a cracker can generate a passcode table approximately 4G in size, which can be used to look up the passcode given the file Security.conf,” it warned.
It said Sharp’s support team had been notified of both vulnerabilities and promised a fix. In the meantime, the school’s researchers urged Zaurus users who use ethernet or PPP to attach to a network to either discontinue use of QPE or place themselves behind a firewall until a patch for QPE is released.