LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security Vulnerabilities in Sharp Zaurus

[Posted July 17, 2002 by dennis]

On July 10th, a report of remote filesystem access and screen-locking passcode disclosure vulnerabilities in Sharp Zaurus was released by the Syracuse University Center for Systems Assurance. The first is a little scary: the sync service gives anybody with network access to the Zaurus (through a wireless net, say) the ability to overwrite any file on the filesystem. The second is a problem with relatively weak encryption of passwords. It was pointed out, on posts to BugTraq, that Sharp did mitigate, but not resolve, the remote filesystem access risk by restricting access to the vulnerable port.

Sharp has apparently known about these problems for more than a month, but no update is yet available that fixes them. The Zaurus developer community apparently knew about the remote filesystem access vulnerability as early as March 29th. An independently compiled list of problems with the Zaurus, that last updated May 6th, includes the remote filesystem access vulnerability and some pointed comments on Sharp's management.

The Zaurus SL5000D and SL5500 are palmtop computers with great potential, but the maker, Sharp Electronics, has botched several things and has not taken any steps to deal with the issues even though they have had feedback about most of the problems below on the developer web site for months. Unfortunately Sharp has not answered the concerns raised by developers during the beta period. The SL5500 is now a released product and the general public will begin to run into these problems. It is sad that Sharp has refused to fix the problems with their unit as the Zaurus may be a first introduction to Linux/Unix systems for many users. The problems the Zaurus has will give the false impression to new users that the problems are with Linux in general rather than with the choices that Sharp made in implementing Linux on the Zaurus.

Richard Shim reported on the security vulnerabilities for News.com, including his own comments on Sharp's management of Zaurus development.

Linux is an open-source operating system, giving developers equal access to the code. Many consider that an advantage in a situation like this, as security flaws are found quickly and fixes and other software improvements can be added by a whole community of programmers, not just those employed by a particular company. However, Sharp has not released the source code for the Zaurus' particular operating system to the open-source community, nor has it integrated any community updates to its OS, choosing instead to go a more proprietary route. [...]

"Sharp committed to Linux and the open-source community, but they've realized that they don't want to live the lifestyle," said a source familiar with the company's plans.

(Log in to post comments)

Security Vulnerabilities in Sharp Zaurus

Posted Jul 18, 2002 18:18 UTC (Thu) by DeletedUser2631 ((unknown), #2631) [Link]

I own one of these devices and found out about the ftp security issue early on. It is easily dealt with if you're a developer- compile and install a custom kernel with ipchains enabled, and simply block the ports. If you're less technically adept, I've posted a precompiled kernel on my website for download and installation, along with the ipchains binary and a sample command line.

http://www.quagmire.cc/zaurus

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds