A Hidden User On Your Asustor NAS

Moderator: Lillian.W@AST

MonsMagnus
Posts: 74
youtube meble na wymiar Warszawa
Joined: Sat Mar 11, 2017 2:17 am

A Hidden User On Your Asustor NAS

Post by MonsMagnus »

I was reading the forums this morning when I came across a post that discussed an unknown user account for our NAS devices. Anyone can login to the NAS with the username of nvradmin for both username and password. See here viewtopic.php?f=71&t=9593
Antonios
Posts: 82
Joined: Tue Jun 27, 2017 1:05 pm

Re: A Hidden User On Your Asustor NAS

Post by Antonios »

Have read in here probably that sometimes support would need to connect remotely to solve something or for whatever other reason, supposedly with the NAS owner's informed consent.

Maybe this is the hidden user real usage, surely they could have done better with the password thing but I have seen before such back door implementations for legit support use to have even more ridiculous passwords.

Above only applies if legit use was intended and such. Cause if it ain't...

Just my 2c.
MikeG.6.5
Posts: 917
Joined: Fri May 15, 2015 1:56 am

Re: A Hidden User On Your Asustor NAS

Post by MikeG.6.5 »

I just tried to do this with my own system through WinSCP, and wasn't able to log in with that user ID/Password. So that leads to ask a question:

What apps do those of you with this issue have installed? Do any of you have some sort of camera apps running?
wde
Posts: 224
Joined: Sun Jun 16, 2013 5:00 pm

Re: A Hidden User On Your Asustor NAS

Post by wde »

I had this issue and locked the account.
No camera app used here. I don't have ASUSTOR Portal app installed either as I don't us HDMI output.

Just updated ADM to 3.1.1.RGG1. Maybe that fixed the issue.
My NAS: Flashtor 6 FS6706T ADM: 4.2.7.RRD1 Router: Technicolor CGM4331COM (XB7)
sksbir
Posts: 395
Joined: Tue Aug 25, 2015 9:23 pm

Re: A Hidden User On Your Asustor NAS

Post by sksbir »

wde wrote:....Just updated ADM to 3.1.1.RGG1. Maybe that fixed the issue.
nope.
MonsMagnus
Posts: 74
Joined: Sat Mar 11, 2017 2:17 am

Re: A Hidden User On Your Asustor NAS

Post by MonsMagnus »

I can confirm that using the Web interface this user is still able to log in to the AS6202T running the latest ADM 3.1.1.RGG1. How about it Asustor, what's up with this?
User avatar
mafredri
Posts: 371
Joined: Sat Mar 22, 2014 8:41 am

Re: A Hidden User On Your Asustor NAS

Post by mafredri »

MonsMagnus wrote:I can confirm that using the Web interface this user is still able to log in to the AS6202T running the latest ADM 3.1.1.RGG1. How about it Asustor, what's up with this?
Yeah, this is pretty unacceptable. Any form of remote login (no matter how limited) is a chance to escape the sandbox and escalate privileges.

EDIT: Furthermore, if someone has once logged in and manages to keep the session alive, disabling the user or changing the password won't help. They won't be logged out. This just illustrates the above point that no system is secure, or designed without faults and limiting access is key.
Hi, I'm new here. Looking to be active in the community and help with development :).
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
sksbir
Posts: 395
Joined: Tue Aug 25, 2015 9:23 pm

Re: A Hidden User On Your Asustor NAS

Post by sksbir »

you cannot change password from webinterface, but you can edit /etc/shadow from terminal once logged in has root. I just removed the first encrypted character, and logging in with this hidden account has become impossible.
we must now verify that this modification is permanent and will outlive reboot.
MonsMagnus
Posts: 74
Joined: Sat Mar 11, 2017 2:17 am

Re: A Hidden User On Your Asustor NAS

Post by MonsMagnus »

sksbir wrote:you cannot change password from webinterface, but you can edit /etc/shadow from terminal once logged in has root. I just removed the first encrypted character, and logging in with this hidden account has become impossible.
we must now verify that this modification is permanent and will outlive reboot.
Because I have no idea why Asustor would create this account I am reluctant to do anything that would risk corrupting or removing it because it could break something else. Asustor needs to advise all of us why it's there, what if anything its used for, and how or even if we can safely remove it.
vitosx
Posts: 52
Joined: Sun Sep 24, 2017 11:30 pm

Re: A Hidden User On Your Asustor NAS

Post by vitosx »

Here's the answer support gave me:
The NVR ADM account is a back door testing account normally we do not share it with our end users.
If you look in carefully the account does not have any privileges nor account access right.
Therefore even if log in you are not able to see any content in the NAS.
This account was created and was used internally for testing purpose.
It shows level of commitment to product security at Asustor. :(

You can safely disable it by following command:

Code: Select all

passwd -l nvradmin
Post Reply

Return to “[Official] For AS61XX/62XX Series”