All your ASUS servers iKVM/IPMI may belong to other!


In this post i will describe how i found multiple implementation fails by ASUS that allows a remote attacker to grab user’s passwords and consequently access some ASUS iKVM/IPMI equipped servers.

This is CRITICAL, since IPMI gives you local’ish access to the server, which can be used to bypass every security usually placed in the network layer.
Almost everyone puts IPMI/iKVM in backend networks and access them in a secure way (VPN, etc), unfortunately there are many people that use it in public address space. Since IPMI has a very specific signature, these public IPMIs are very easy to find by scanning entire IP allocations.

This all started when i decided to take a closer look into ASUS IPMI’s SSH interface.
Usually in IPMI implementations, SSH is used to provide a SMASH interface.
Tried logging in with a user created login and without surprise SMASH interface showed in my screen.

SMASH-CLP Console v1.09 version


Smash CLP Version :SMASH 1.0.0/CLP 1.09


The Hack

Now things start to warm up.
I tried again to login via SSH, but instead of using a user created login, i used the “admin” login.
Dang a Bourne shell into IPMI’s internal Busybox poped in my screen.

Shell access

First thing i checked out was how users were specified by looking into the file “/conf/passwd”:


This answered my doubts, user created logins are stucked with the SMASH interface but the “Admin” has shell access.
Taking a deeper look i saw that an “anonymous” login existed and it had shell access, WHAT?
By “WHAT?” i mean, via the management interface you dont see any “anonymous” user and forcing a password change on this user it throws a “user already exist” error, no shit?

Additionally there was obviously a “root” login and it also had SMASH has it shell… and again no way of changing root password in the management.
Remind that both “root” and “anonymous” users dont work in the web management interface, they are completely invisible to it.

So the questions are: which password root and anonymous users have? are they the same in all servers?

At this time i was not believing what i was seeing, but then it turned worse….

Clear text passwords

Previously i found passwd file in /conf folder, looking deeper into this folder i saw a file called “clearpasswd” and again a WTF? time.

$ cat /conf/clearpasswd


bookie:~ pedrodias$ ssh anonymous@

BusyBox v1.1.3 (2011.02.18-03:46+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  1. ASUS store user passwords in plain text!
  2. anonymous has shell access which can be used to check /conf/clearpasswd file, which contains all users passwords in plaintext!!!


  • Tried changing root and anonymous passwords or disabling then via web management, WITHOUT success.
  • Tried the previous via SMASH, WITHOUT success.
set password=231jk4h1
set password=231jk4h1
      Password cannot be changed for userid=1
  • iKVM/IPMI is a backend technology! just dont use it in public addressing space!

Affected servers

  • Servers equipped with ASMB5-iKVM modules.


– If someone finds a way on how to change root and/or anonymous password feel free to contribute 🙂
– Although INTEL has a similar IPMI implementation it is NOT affected by this.
– SUPERMICRO has a similar problem with anonymous user (already reported by someone else) but it only gives SMASH interface, it can easily be fixed by changing anonymous password (disabling the anonymous user does not solve the problem)


– I’ve been told that ASUS is already working actively on it. A new firmware update (v1.9) should be released soon after test phase.


– Update to the recently released v1.10 and do a factory reset/config wipe to close this hole. (you must do a factory reset or else the problem will still be there)

Leave a comment


  1. Ari

     /  June 28, 2012

    This is really WTF from ASUS side? But I am almost as surprised when seeing 103 lines long proof-of-concept program for this when just a simple screenshot would proof it 😉

  2. Jeremy Jackson

     /  October 1, 2012

    Good work, now maybe I can install a proper serial terminal like minicom or screen, and be able to send BREAK sequence to Linux console!

  3. Carlos Moio

     /  January 25, 2013

    25/01/2013… last version of firmware 1.10 releades 1 week ago.. still the bug works.. I can’t believe that Asus could not patch it…

    • I think that update didn’t touch the module firmware :/ A few months ago Asus sent me a beta ASMB5 firmware which was patched.

  4. Richard

     /  February 1, 2013

    v1.10 should work. For the firmware to take effect, it has to be flashed without keeping previous configuration. Otherwise the password settings will not be updated.

    • Carlos Moio

       /  February 1, 2013

      Yes, this is the last version i have.. that i dont have to preserve configuration when update, thats no so good at all, i work with servers in a datacenter and one of the meanings for KVM is to avoid the remote hand or go personally to touch…..

      Maybe with ipmicfg from OS i can set it up again with IP, gonna do a try and update. Thanks to all 😉

      I’ve reported this to ASUS and they told me the 1.10 was solved.

  5. Never, ever put iKVM on public addressing! Always use VPN or SSH tunneling to an server which sole purpose is to provide internal access to the iKVMs.

  6. Alexey

     /  February 22, 2014

    Somehow web is not working (page loading), but i do have ssh access. Is it possible to reboot iKVM from console SMASH-CLP?

    • Alexey

       /  March 20, 2014

      ipmitool -H IP_server -U admin -P passwd -I lanplus raw 0x06 0x02

      • Carlos Moio

         /  November 10, 2014

        Alexey i didn’t get this command working, it says CLOSE SESSION COMMAND FAILED … could be a different string?

  7. Josh

     /  July 1, 2015

    Is it possible to update the firmware and reset to factory defaults via ipmitool, or via some other CLI?

  8. anonymous

     /  January 1, 2018

    this problem is still happening with ASMB8. that’s ridiculous, I had setup a different IP address, including a different port, changed the passwords, and still I found my ASMB8 hacked. not only this, I have a remote server to which I connect, the worm found itself propagating to my remote server via VPN, and hacking my other IPMI. wow! I’m impressed as to the capabilities of these guys… it takes years to perfect these devices what takes them a day to break!

  1. Wbudowany backdoor w serwerach ASUSa | Zaufana Trzecia Strona

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s