Asus ASMB5-iKVM Exploit Using Undocumented, Hidden Root Shell Accounts
While working on my Asus server, I discovered undocumented root shell accounts present on the Asus ASMB5-iKVM remote module that do not appear on the web interface. Incredibly, I was able to log in with an anonymous root account and view all other account passwords because they are stored in clear text.
This is security negligence on the part of Asus.
This exploit is supposedly fixed in firmware version 1.10, but the hidden accounts remained after the update. It is necessary to reset the IPMI module to factory defaults before this security mistake is fixed.
The Asus IPMI module provides ssh access on port 22. After logging in, check the /conf/clearpasswd file to list all other accounts on the module. You may see your own password displayed in clear text, along with the passwords for the administrator, root and "anonymous" accounts.
I update the firmware to version 1.10 over 1.5 years ago, but there was no security notice telling me to reset the module to factory defaults. In fact, the default option is to preserve settings. These root accounts have been on my server during that time and I had no idea until today. I discovered this by accident when trying to reset an account password.
Mistakes and bugs are expected and always something to worry about in IT security. Keeping these types of problems hidden is not the solution. Asus' security is negligent not because of an amateur mistake but how it handled the problem.
Fixing the Mistake
If you have firmware older than 1.10, then update the module and un-check the box "Preserve system configuration". Preserving the configuration will preserve the security problem, too.
If you installed version 1.10 and selected to preserve the configuration, you need to re-install version 1.10 and un-check the "preserve" box. Using "Maintenance -> Restore Factory" blocked login for the "anonymous" account but still permitted access for "root" with the default password shown above.
After re-applying the firmware and resetting configuration, I notice Asus' solution is to block all shell access to the console. After updating, you will only be able to use the "Smash" command interface. Busybox shell access is now blocked. This is an amateur solution to an amateur mistake.