All your ASUS servers iKVM/IPMI may belong to other!

Introduction

In this post i will describe how i found multiple implementation fails by ASUS that allows a remote attacker to grab user’s passwords and consequently access some ASUS iKVM/IPMI equipped servers.

This is CRITICAL, since IPMI gives you local’ish access to the server, which can be used to bypass every security usually placed in the network layer.
Almost everyone puts IPMI/iKVM in backend networks and access them in a secure way (VPN, etc), unfortunately there are many people that use it in public address space. Since IPMI has a very specific signature, these public IPMIs are very easy to find by scanning entire IP allocations.

This all started when i decided to take a closer look into ASUS IPMI’s SSH interface.
Usually in IPMI implementations, SSH is used to provide a SMASH interface.
Tried logging in with a user created login and without surprise SMASH interface showed in my screen.

SMASH-CLP Console v1.09 version
COMMAND COMPLETED :
version

*****************************************************

Smash CLP Version :SMASH 1.0.0/CLP 1.09

*****************************************************

The Hack

Now things start to warm up.
I tried again to login via SSH, but instead of using a user created login, i used the “admin” login.
Dang a Bourne shell into IPMI’s internal Busybox poped in my screen.

Shell access

First thing i checked out was how users were specified by looking into the file “/conf/passwd”:

admin:x:502:502::/home:/bin/sh
user1:x:504:504::/home:/usr/local/bin/smash
user2:x:505:505::/home:/usr/local/bin/smash

This answered my doubts, user created logins are stucked with the SMASH interface but the “Admin” has shell access.
Taking a deeper look i saw that an “anonymous” login existed and it had shell access, WHAT?
By “WHAT?” i mean, via the management interface you dont see any “anonymous” user and forcing a password change on this user it throws a “user already exist” error, no shit?

Additionally there was obviously a “root” login and it also had SMASH has it shell… and again no way of changing root password in the management.
Remind that both “root” and “anonymous” users dont work in the web management interface, they are completely invisible to it.

So the questions are: which password root and anonymous users have? are they the same in all servers?

At this time i was not believing what i was seeing, but then it turned worse….

Clear text passwords

Previously i found passwd file in /conf folder, looking deeper into this folder i saw a file called “clearpasswd” and again a WTF? time.

$ cat /conf/clearpasswd
root:superuser
anonymous:anonymous
user1:user1passwordincleartext
...

 

bookie:~ pedrodias$ ssh anonymous@192.168.1.25
Password:

BusyBox v1.1.3 (2011.02.18-03:46+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

$
  1. ASUS store user passwords in plain text!
  2. anonymous has shell access which can be used to check /conf/clearpasswd file, which contains all users passwords in plaintext!!!

Fix

  • Tried changing root and anonymous passwords or disabling then via web management, WITHOUT success.
  • Tried the previous via SMASH, WITHOUT success.
set password=231jk4h1
COMMAND COMPLETED :
set password=231jk4h1
 ufip=/system1/sp1/account1
      Password cannot be changed for userid=1
  • iKVM/IPMI is a backend technology! just dont use it in public addressing space!

Affected servers

  • Servers equipped with ASMB5-iKVM modules.

EDIT:

- If someone finds a way on how to change root and/or anonymous password feel free to contribute :)
– Although INTEL has a similar IPMI implementation it is NOT affected by this.
– SUPERMICRO has a similar problem with anonymous user (already reported by someone else) but it only gives SMASH interface, it can easily be fixed by changing anonymous password (disabling the anonymous user does not solve the problem)

EDIT VENDOR:

- I’ve been told that ASUS is already working actively on it. A new firmware update (v1.9) should be released soon after test phase.

EDIT (FIX):

- Update to the recently released v1.10 and do a factory reset/config wipe to close this hole. (you must do a factory reset or else the problem will still be there)

About these ads
Leave a comment

10 Comments

  1. Ari

     /  June 28, 2012

    This is really WTF from ASUS side? But I am almost as surprised when seeing 103 lines long proof-of-concept program for this when just a simple screenshot would proof it ;)

    Reply
  2. Jeremy Jackson

     /  October 1, 2012

    Good work, now maybe I can install a proper serial terminal like minicom or screen, and be able to send BREAK sequence to Linux console!

    Reply
  3. Carlos Moio

     /  January 25, 2013

    25/01/2013… last version of firmware 1.10 releades 1 week ago.. still the bug works.. I can’t believe that Asus could not patch it…

    Reply
    • I think that update didn’t touch the module firmware :/ A few months ago Asus sent me a beta ASMB5 firmware which was patched.

      Reply
  4. Richard

     /  February 1, 2013

    v1.10 should work. For the firmware to take effect, it has to be flashed without keeping previous configuration. Otherwise the password settings will not be updated.

    Reply
    • Carlos Moio

       /  February 1, 2013

      Yes, this is the last version i have.. that i dont have to preserve configuration when update, thats no so good at all, i work with servers in a datacenter and one of the meanings for KVM is to avoid the remote hand or go personally to touch…..

      Maybe with ipmicfg from OS i can set it up again with IP, gonna do a try and update. Thanks to all ;)

      I’ve reported this to ASUS and they told me the 1.10 was solved.

      Reply
  5. Never, ever put iKVM on public addressing! Always use VPN or SSH tunneling to an server which sole purpose is to provide internal access to the iKVMs.

    Reply
  6. Alexey

     /  February 22, 2014

    Hello,
    Somehow web is not working (page loading), but i do have ssh access. Is it possible to reboot iKVM from console SMASH-CLP?

    Reply
    • Alexey

       /  March 20, 2014

      ipmitool -H IP_server -U admin -P passwd -I lanplus raw 0x06 0x02

      Reply
  1. Wbudowany backdoor w serwerach ASUSa | Zaufana Trzecia Strona

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 183 other followers