Showing results for 
Search instead for 
Do you mean 
Reply
Lenovo Employee
Posts: 2
Registered: ‎04-21-2016
Location: US
Message 11 of 18 (1,098 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

[ Edited ]

Hello Aleph-zero,

 

I'm glad to hear about your enthusiasm for ThinkPad Stack and thank you for posting about the content security issue you have come across while using the product.  I am a Product Manager for ThinkPad Accessories and will share your concerns with our inernal team to see what help we can provide or what changes may need to be made. 

 

Per an earlier post this is the issue I will be sharing with my team:

 

the Stack shares the content of the HDD with the entire Internet without requiring a password, even worse, this sharing is done as "root" user allowing any file being read/changed/removed by anyone with anonymous access

 

I will investigate this issue internally and come back to you with my findings.

Highlighted
Punch Card
Posts: 16
Registered: ‎07-14-2016
Location: US
Message 12 of 18 (1,074 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

[ Edited ]

Thank you mneybeck!

 

All I said is true.  I honestly believe the ThinkPad Stack is an innovative

device with huge possibilities.  Its hardware quality, as usual on

Lenovo, is excellent and the device itself can fill a big gap.  I plan to

use it not only to simplify deployment of wireless networks and

storage devices but also to provide an additional protection layer to

computers in case of connecting to hostile networks (e.g., filtering

the Intel ME, NFS, RPC and bootp ports).  Don't know how future

firmware upgrades will be, but I do not discard using this device as an

end-point for a VPN.

 

Only time will say what we can do with the Stack!

 

As I see it there are two main security issues related to the Stack:

 

1. the port filtering firewall does not seem to work as expected

(while here, a "default deny" policy would be great too);

2. the Samba/CIFS server is listening on all interfaces, including WAN,

allowing privileged anonymous access to contents on the disk

(partially mitigated if formatted as ext4, as files can be protected by

means of ext4 file attributes (chattr(1)).

 

To reproduce the Samba sharing issue just set up a computer to act as

a DHCP server (this one will play the role of a "router" or "AP" connected

to the Internet) and connect the Stack to it using the Ethernet port and

let it autoconfigure its network settings.  Then you should be able to

access the Stack HDD without using a password from the computer

playing the role of a host on the Internet.

 

Just log into the device (using telnet) and check the permissions of the

files created. Don't know how it will perform on an NTFS-formatted drive,

but on an ext4 it is clear the owner of the files created is "root" and no

standard permissions (using chmod(1) instead of chattr(1)) will stop this

user from modifying a directory or file that is write protected.  This one is

the reason I say only chattr(1) provides a minimal protection, as file

attributes are honored by the "root" user too.

 

Please, let me know if you need additional information or testing.

I will listen to this thread.

Punch Card
Posts: 16
Registered: ‎07-14-2016
Location: US
Message 13 of 18 (1,055 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

If you welcome my advice I would suggest a simple but effective fix: the ThinkPad Stack router should never have services listening on the egress interface (e.g. the Ethernet port on a default configuration).

 

In other words, services like Samba/CIFS or DLNA should never listen on the interface pointed by the default route, i.e. the interface connected to the world.

 

Punch Card
Posts: 16
Registered: ‎07-14-2016
Location: US
Message 14 of 18 (936 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

I am sorry for bumping this thread but there had been no activity on it in the last two months and the problem described here is severe and very easy to exploit.

 

What is the current status of this report?  No service should be listening on the egress interface.  In the ThinkPad Stack the Samba/CIFS service is not only listening on the external interface but also allows unauthenticated root access to the device's HDD from anywhere.

 

Thanks!

Punch Card
Posts: 16
Registered: ‎07-14-2016
Location: US
Message 15 of 18 (796 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

I am sorry for bumping this thread again, but this one is a serious problem that must be fixed.

SCSI Port
Posts: 47
Registered: ‎08-15-2016
Location: US
Message 16 of 18 (771 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

I just bought this device a week ago and its being shipped to me next week - everything you have said it truly terrifying as the thought of all my private data being out there in the open broadcasted by its companion nonetheless - what was Lenovo thinking????

 

I hope until much more safer alternatives come up - the 1TB HDD will be primarily used for multimedia only sadly (I don't mind if you copy some good classical music, lol) I hope Lenovo can come up with some safey measures quick, I really like the concept of the Stack, but safety measures must be implemented before they can take any step further. 

 

I hope Lenovo can keep up the good work and keep up the support. 

 

Aleph - good job mate - keep up the good work as well!!

Paper Tape
Posts: 2
Registered: ‎12-09-2016
Location: AU
Message 17 of 18 (715 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

I was having a look around the router.

Looks like an mips based embedded linux but its not blindingly obvious to me

what toolchain was used and I can not find much about rtl linux in english.

Looking at the startup script in /etc/rc.d/ I noticed that /bin/startup

is called which in turn invokes any files in /var/persist/startup.

I  placed a short script in there to set the timezone, hostname

and root password.  I imagine a script invoking /bin/iptables could be used

to customise the firewall rules restricting wan access to the minimum.

I was interested in how using an existing wifi connection for the wan connection

worked.  Even though I had the impression is was bridged its not.

The stack's wifi connections are still on 192.168.33.x so the traffic must

be routed to the wan wifi (and nat'd?)

I purchased the stack for the speaker, external drive and battery pack

(discounted was cheaper than buying each generic device separately)

so the router is for me a gift or toy.

 

Building a more functional busybox binary for this device might be a project.

Serial Port
Posts: 40
Registered: ‎08-15-2015
Location: Germany
Message 18 of 18 (42 Views)

Re: ThinkPad Stack Professional Kit bugs and improvements (FW 1.1.3.4, ECP 0.1.0.2)

Just as side note: I returned my Stack to Lenovo - too many sad problems.

Top Kudoed Authors
User Kudos Count
1