Lenovo IX2-DL Remote Root via CSRF

by Jon Lamendola

The Lenovo IX2-DL device has multiple vulnerabilities, including a Cross-Site Request Forgery (CSRF) exploit that has the capability of spawning a remote reverse shell, running as root.

The attack vector is CSRF on the devices application install page. The device does not include a unique token to verify that a given request is coming from a valid user, and therefore accepts all POST requests to the device as valid. This results in an attacker being able to trick a users browser into sending a request to install malicious software to the device, using credentials from a previous login supplied automatically by the users web-browser.

##Impact A user who visits a malicious page could unknowingly have software installed on their device that would give an attacker full control. This could be used to modify or delete a users stored files, or as a entry point for bypassing a firewall and attacking computers on the users internal network.

##Mitigating Factors In order for the exploit to work, a valid user with admin privileges who has recently logged into a Lenovo LifeLine device must visit the malicious page. No further user interaction is required, and no indication will be given to the user that the device has been compromised. Users can visit the applications page on the devices management console and check for unknown applications to see if they have recently been compromised. Keep in mind, however, that as the attacker is given root privileges, the application could easily be hidden or back doors installed.

##Affected Devices Any device running the Lenovo LifeLineEMC software version 4.0.6.19294 and prior is vulnerable.

##Recommended Actions Contact Lenovo and ask that they fix the vulnerability. They have refused at this point. In addition, always be sure to log out of your device's management console when you are finished using it, and never visit untrusted web pages while logged in.