Sensitive Data Exposure in Logs

Executive Summary

An authentication-related binary path was analyzed (including get_captive_portal_auth), and 1 vulnerability was confirmed. The issue is a medium-severity CWE-532 information leak where configured portal credentials are written to syslog in plaintext on auth failure.

Binary Profile

• Security Flags: PIE absent / NX absent / stack_canary absent / RELRO absent
• Risk Level: Medium

Findings

1. Sensitive Portal Credentials Logged on Authentication Failure — Medium

• Function: get_captive_portal_auth @ 0x41b6c0
• CWE: CWE-532 — Insertion of Sensitive Information into Log File
• Category: info_leak
• Reachability: reachable_from_network

Description

At 0x41b998, the function calls syslog with format string "portal auth failed [%s] [%s]" and includes values derived from authentication fields and stored portal credentials. SSA evidence shows values from nvram_safe_get("portal_lo_un") and nvram_safe_get("portal_lo_pw") flow into syslog arguments without redaction. This can expose plaintext configured username/password values in logs when authentication fails. Because the code path is network-reachable, remote requests can trigger repeated sensitive log entries.

Taint Chain

nvram_safe_get("portal_lo_pw") @ 0x41b7d8
→ str2#6 = phi(str2_1,str2_2) @ 0x41b990
→ $a3_3#7 = str2#6 @ 0x41b994
(+ parallel input str1#7 from arg1 offsets +0x14/+0x94 via phi @ 0x41b990)
→ syslog(6, "portal auth failed [%s] [%s]", ...) @ 0x41b998

Mitigations

• Present: none
• Absent: credential_redaction, stack_canary, PIE, NX, RELRO