What could be worse than your router leaking its administrative login credentials in plaintext?
Cybersecurity researchers from Trustwave’s SpiderLabs have discovered multiple security vulnerabilities in some router models from two popular manufacturers—D-Link and Comba Telecom—that involve insecure storage of credentials, potentially affecting every user and system on that network.
Researcher Simon Kenin told The Hacker News that he discovered a total of five vulnerabilities—two in a D-Link DSL modem typically installed to connect a home network to an ISP, and three in multiple Comba Telecom WiFi devices.
These flaws could potentially allow attackers to change your device settings, extract sensitive information, perform MitM attacks, redirect you to phishing or malicious sites and launch many more types of attacks.
“Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites,” Kenin says in a blog post published today.
Kenin is the same security researcher who previously discovered similar vulnerability (CVE-2017-5521) in at least 31 models of Netgear routers, allowing remote hackers to obtain the admin password of the affected devices and potentially affecting over one million Netgear customers.
D-Link WiFi Router Vulnerabilities
The first vulnerability resides in the dual-band D-Link DSL-2875AL wireless router, where a file located at https://[router ip address]/romfile.cfg contains login password of the device in plaintext and can be accessed by anyone with access to the web-based management IP address, without requiring any authentication.
The second vulnerability impacts D-Link DSL-2875AL and the DSL-2877AL models and leaks the username and password the targeted router use for authenticating with the Internet Service Provider (ISP).
According to the researchers, a local attacker connected to the vulnerable router or a remote attacker, in case of the router is exposed to the Internet, can obtain victims’ ISP credentials just by looking at the source code (HTML) of the router login page at https://[router ip address]/index.asp.
“The following username & password are used by the user to connect to his ISP, leaking this info could allow an attacker to use those credentials for himself and abuse the ISP,” the advisory for the flaw explains.
“On top of that, bad security habits of password reuse could possibly allow an attacker to gain control of the router itself.”
Researchers notified D-Link of the vulnerabilities in early January, but the company released Firmware patches on September 6, just three days prior to the full disclosure of the issues.
Comba Wi-Fi Access Controller Vulnerabilities
Out of three, the first vulnerability impacts the Comba AC2400 WiFi Access Controller, leaking the MD5 hash of the device password just by accessing the following URL without requiring any authentication.
https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true
“The username is admin, with system privileges and the md5 of his password is 61d217fd8a8869f6d26887d298ce9a69 (trustwave). MD5 is very easy to break, if SSH/Telnet is enabled, this could lead to a full takeover of the filesystem of the device,” the advisory reads.
The other two vulnerabilities impact the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2).
One of these flaws also leaks MD5 hash of the device username and password through the source code of the web-based management login page, while the other one leaks credentials in plaintext stored in an SQLite database file located at https://[router ip address]/goform/downloadConfigFile.
Researchers attempted to contact Comba Telecom multiple times since February this year, but never succeeded in receiving a response.
All the three vulnerabilities discovered in Comba Telecom routers are unpatched at the time of writing, and it remains unknown whether the company has any plan to address them or not.