Security researchers from Trustwave’s SpiderLabs have discovered several credential leaking vulnerabilities in some models of D-Link and Comba Telecom.
The researcher Simon Kenin from SpiderLabs discovered five credential leaking vulnerabilities, three of them affect some Comba Telecom WiFi routers, the remaining impact a D-Link DSL modem.
An attacker could use these credentials to take over the routers and perform several malicious activities by changing device settings (i.e.
“There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP.” reads the security advisory. “The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of
In previous research, Kenin discovered similar flaws (CVE-2017-5521) in at tens of models of Netgear routers that were potentially affecting over one million Netgear customers.
While analyzing the dual-band D-Link DSL-2875AL wireless router, the expert discovered that a file located at
The second flaw affects D-Link DSL-2875AL and the DSL-2877AL models. Analyzing the source code of the router login page (https://[router ip address]/index.asp) Kenin niticed the following lines:
var username_v = '<%TCWebApi_get("Wan_PVC","USERNAME","s")%>';
var password_v = '<%TCWebApi_get("Wan_PVC","PASSWORD","s")%>';
The devices are leaking the credentials for authenticating with the Internet Service Provider (ISP).
“The username & password listed there are used by the user to connect to his/her ISP. This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials.” continues the advisory.
Kenin reported the flaw to the vendor in early July, but D-Link released the fix on September 6.
The first of the three flaws affecting the Comba Wi-Fi Access Controllers
https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true
MD5 is known to be very easy to reverse, and the expert pointed out that if SSH/Telnet is enabled and
The remaining two issues impact the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2).
One of them causes the leak of MD5 hash of the device username and password through the source code of the web-based management login page, the second one the leak of credentials in
https ://[router ipaddress ]/ goform/ downloadConfigFile.
The expert attempted to report the flaws to the vendor since February, but without success. The three flaws are
“These types of router vulnerabilities are very serious. Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS