Security experts have discovered that some models of D-Link and Comba WiFi routers leak their administrative login credentials in plaintext .

Security researchers from Trustwave’s SpiderLabs have discovered several credential leaking vulnerabilities in some models of D-Link and Comba Telecom.

The researcher Simon Kenin from SpiderLabs discovered five credential leaking vulnerabilities, three of them affect some Comba Telecom WiFi routers, the remaining impact a D-Link DSL modem.

An attacker could use these credentials to take over the routers and perform several malicious activities by changing device settings (i.e. change DNS settings to hijack the traffic, perform MitM attacks).

“There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP.” reads the security advisory. “The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.”

In previous research, Kenin discovered similar flaws (CVE-2017-5521) in at tens of models of Netgear routers that were potentially affecting over one million Netgear customers.

While analyzing the dual-band D-Link DSL-2875AL wireless router, the expert discovered that a file located at https : //[router ip address ] /romfile.cfg contains the login password of the device in plaintext . Anyone with access to the web-based management IP address can read the files without any authentication. The expert confirmed that at least versions 1.00.01 & 1.00.05 are affected and likely models.

The second flaw affects D-Link DSL-2875AL and the DSL-2877AL models. Analyzing the source code of the router login page (https://[router ip address]/index.asp) Kenin niticed the following lines:

var username_v = '<%TCWebApi_get("Wan_PVC","USERNAME","s")%>';

var password_v = '<%TCWebApi_get("Wan_PVC","PASSWORD","s")%>';

The devices are leaking the credentials for authenticating with the Internet Service Provider (ISP).

“The username & password listed there are used by the user to connect to his/her ISP. This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials.” continues the advisory.

Kenin reported the flaw to the vendor in early July, but D-Link released the fix on September 6.

The first of the three flaws affecting the Comba Wi-Fi Access Controllers impacts the Comba AC2400. The device leaks the MD5 hash of the device password by accessing the following URL without requiring any authentication.

https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true

MD5 is known to be very easy to reverse, and the expert pointed out that if SSH/Telnet is enabled and attacker could take over the device.

The remaining two issues impact the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2).

One of them causes the leak of MD5 hash of the device username and password through the source code of the web-based management login page, the second one the leak of credentials in plaintext stored in an SQLite database file located at:

https : //[router ip address ] / goform / downloadConfigFile .

The expert attempted to report the flaws to the vendor since February, but without success. The three flaws are unpatched at the time of writing.

“These types of router vulnerabilities are very serious. Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites.” concludes the advisory. “An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website.”

Pierluigi Paganini