Some D-Link and Comba WiFi Routers Leak Their Passwords in Plaintext

Posted by & filed under Security Alerts.

Cybersecurity researchers from Trustwave’s SpiderLabs have discovered multiple security vulnerabilities in some router models from two popular manufacturers—D-Link and Comba Telecom—that involve insecure storage of credentials, potentially affecting every user and system on that network.

Researcher Simon Kenin, discovered a total of five vulnerabilities—two in a D-Link DSL modem typically installed to connect a home network to an ISP, and three in multiple Comba Telecom WiFi devices.

These flaws could potentially allow attackers to change your device settings, extract sensitive information, perform MitM attacks, redirect you to phishing or malicious sites and launch many more types of attacks.

“Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites,” Kenin says in a blog post published today.

Kenin is the same security researcher who previously discovered similar vulnerability (CVE-2017-5521) in at least 31 models of Netgear routers, allowing remote hackers to obtain the admin password of the affected devices and potentially affecting over one million Netgear customers.

D-Link WiFi Router Vulnerabilities

The first vulnerability resides in the dual-band D-Link DSL-2875AL wireless router, where a file located at //[router ip address]/romfile.cfg contains login password of the device in plaintext and can be accessed by anyone with access to the web-based management IP address, without requiring any authentication.

The second vulnerability impacts D-Link DSL-2875AL and the DSL-2877AL models and leaks the username and password the targeted router use for authenticating with the Internet Service Provider (ISP).

According to the researchers, a local attacker connected to the vulnerable router or a remote attacker, in case of the router is exposed to the Internet, can obtain victims’ ISP credentials just by looking at the source code (HTML) of the router login page at //[router ip address]/index.asp.

“The following username & password are used by the user to connect to his ISP, leaking this info could allow an attacker to use those credentials for himself and abuse the ISP,” the advisory for the flaw explains.


“On top of that, bad security habits of password reuse could possibly allow an attacker to gain control of the router itself.”


Researchers notified D-Link of the vulnerabilities in early January, but the company released Firmware patches on September 6, just three days prior to the full disclosure of the issues.

Comba Wi-Fi Access Controller Vulnerabilities

Out of three, the first vulnerability impacts the Comba AC2400 WiFi Access Controller, leaking the MD5 hash of the device password just by accessing the following URL without requiring any authentication.

//[router ip address]/09/business/upgrade/upcfgAction.php?download=true

“The username is admin, with system privileges and the md5 of his password is 61d217fd8a8869f6d26887d298ce9a69 (trustwave). MD5 is very easy to break, if SSH/Telnet is enabled, this could lead to a full takeover of the filesystem of the device,” the advisory reads.

The other two vulnerabilities impact the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2).

One of these flaws also leaks MD5 hash of the device username and password through the source code of the web-based management login page, while the other one leaks credentials in plaintext stored in an SQLite database file located at //[router ip address]/goform/downloadConfigFile.

Researchers attempted to contact Comba Telecom multiple times since February this year, but never succeeded in receiving a response.

All the three vulnerabilities discovered in Comba Telecom routers are unpatched at the time of writing, and it remains unknown whether the company has any plan to address them or not.


The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.