Skip to content
No description, website, or topics provided.
C Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
Base64Decode.c
LICENSE
Makefile
README.md
decrypt.c
decrypt.h

README.md

CVE-2019-15802 decrypter

The Zyxel firmware for the GS1900 switches, at least version 2.40(AAHH.2)C0, contains a hardcoded parameters which are used for AES256-CBC encryption an decryption of passwords. These parameters (IV, salt and password) are fixed for all devices running the firmware.

salt[] = "1A3BB2F78D6EC7D8";
iv[32] = "2268BA68768B58C3687D4F205923A741";
key_data[64] = "EC14D4F5BC6B9A3766D31EF9A1BB854121FB938B606462C70B2D0E26549C486A";

A longer write-up of this (and the associated issues) is available here and Zyxel's advisory is here.

decrypter

Based on the code in libsal.so (responsible the encryption and decryption in the firmware) I hacked up a quick tool to demonstrate how these hardcoded parameters can be used to decrypt passwords, e.g. in combination with CVE-2019-15799.

The hardcoded credentials in the firmware (CVE-2019-15801) were also encrypted with this key.

You can’t perform that action at this time.