Introduction

In this post i will describe how i found multiple implementation fails by ASUS that allows a remote attacker to grab user’s passwords and consequently access some ASUS iKVM/IPMI equipped servers.

This is CRITICAL, since IPMI gives you local’ish access to the server, which can be used to bypass every security usually placed in the network layer.

Almost everyone puts IPMI/iKVM in backend networks and access them in a secure way (VPN, etc), unfortunately there are many people that use it in public address space. Since IPMI has a very specific signature, these public IPMIs are very easy to find by scanning entire IP allocations.

This all started when i decided to take a closer look into ASUS IPMI’s SSH interface.

Usually in IPMI implementations, SSH is used to provide a SMASH interface.

Tried logging in with a user created login and without surprise SMASH interface showed in my screen.

SMASH-CLP Console v1.09 version COMMAND COMPLETED : version ***************************************************** Smash CLP Version :SMASH 1.0.0/CLP 1.09 *****************************************************

The Hack

Now things start to warm up.

I tried again to login via SSH, but instead of using a user created login, i used the “admin” login.

Dang a Bourne shell into IPMI’s internal Busybox poped in my screen.

Shell access

First thing i checked out was how users were specified by looking into the file “/conf/passwd”:

admin:x:502:502::/home:/bin/sh user1:x:504:504::/home:/usr/local/bin/smash user2:x:505:505::/home:/usr/local/bin/smash

This answered my doubts, user created logins are stucked with the SMASH interface but the “Admin” has shell access.

Taking a deeper look i saw that an “anonymous” login existed and it had shell access, WHAT?

By “WHAT?” i mean, via the management interface you dont see any “anonymous” user and forcing a password change on this user it throws a “user already exist” error, no shit?

Additionally there was obviously a “root” login and it also had SMASH has it shell… and again no way of changing root password in the management.

Remind that both “root” and “anonymous” users dont work in the web management interface, they are completely invisible to it.

So the questions are: which password root and anonymous users have? are they the same in all servers?

At this time i was not believing what i was seeing, but then it turned worse….

Clear text passwords

Previously i found passwd file in /conf folder, looking deeper into this folder i saw a file called “clearpasswd” and again a WTF? time.

$ cat /conf/clearpasswd root:superuser anonymous:anonymous user1:user1passwordincleartext ...

bookie:~ pedrodias$ ssh anonymous@192.168.1.25 Password: BusyBox v1.1.3 (2011.02.18-03:46+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. $

ASUS store user passwords in plain text! anonymous has shell access which can be used to check /conf/clearpasswd file, which contains all users passwords in plaintext!!!

Fix

Tried changing root and anonymous passwords or disabling then via web management, WITHOUT success.

Tried the previous via SMASH, WITHOUT success.

set password=231jk4h1 COMMAND COMPLETED : set password=231jk4h1 ufip=/system1/sp1/account1 Password cannot be changed for userid=1

iKVM/IPMI is a backend technology! just dont use it in public addressing space!

Affected servers

Servers equipped with ASMB5-iKVM modules.

EDIT:

– If someone finds a way on how to change root and/or anonymous password feel free to contribute 🙂

– Although INTEL has a similar IPMI implementation it is NOT affected by this.

– SUPERMICRO has a similar problem with anonymous user (already reported by someone else) but it only gives SMASH interface, it can easily be fixed by changing anonymous password (disabling the anonymous user does not solve the problem)

EDIT VENDOR:

– I’ve been told that ASUS is already working actively on it. A new firmware update (v1.9) should be released soon after test phase.

EDIT (FIX):

– Update to the recently released v1.10 and do a factory reset/config wipe to close this hole. (you must do a factory reset or else the problem will still be there)