Trustwave SpiderLabs Security Advisory TWSL2019-007:
Vulnerabilities in Comba Products

Published: Currently unpublished 
Version: 1.0

Vendor: Comba (http://www.comba-telecom.com/)

Finding 1: Remote and Local Password Disclosure
***************Credit: Simon Kenin of Trustwave 

Product: AC2400
Version affected: All

Product description:
Wi-Fi Access Controller

Comba AC2400 prone to password disclosure via simple crafted request to the web
management server.

PoC:
====
https://127.0.0.1/09/business/upgrade/upcfgAction.php?download=true

This request doesnt require any authentication and will lead to saving the
DBconfig.cfg file.  In the end of the file the login information is stored in
plain text, for examle:

#**#admin#**#system#**#61d217fd8a8869f6d26887d298ce9a69#**#0#**#3#**#2#**#2#**#2017-01-01#**#forever

The username is admin, with system privileges and the md5 of his password is
61d217fd8a8869f6d26887d298ce9a69 (trustwave).  MD5 is very easy to break, if
SSH/Telnet is enabled this could lead to full takeover of the filesystem of the
device.

-=-=-=-=-=-=-=-=-=-=-

Finding 2: Remote and Local Password Disclosure
***************Credit: Simon Kenin of Trustwave 

Product: AP2600-I,A02,0202N00PD2
Version affected: All

Product description:
AP2600-I series is a high-performance indoor Access Point, can provide Wi-Fi
coverage for both 2.4GHz and 5GHz band.


Comba AP2600 prone to password disclosure via insecure authentication mechanisem.

PoC:
====
Looking at the HTML code of the login page you would see the following lines:

<input type="hidden" id="md5UserName" name="md5UserName" value="c3284d0f94606de1fd2af172aba15bf3">     //admin
<input type="hidden" id="md5Password" name="md5Password" value="cf53f2575640f4b8e4b68947671c8608">     //trustwave

The username & password values are double md5 of the plaintext real value
md5(md5(value))

-=-=-=-=-=-=-=-=-=-=-

Finding3: Remote and Local Password Disclosure
***************Credit: Simon Kenin of Trustwave 

Product: AP2600-I,A02,0202N00PD2
Version affected: All


Product description:
AP2600-I series is a high-performance indoor Access Point, can provide Wi-Fi
coverage for both 2.4GHz and 5GHz band.

Comba AP2600 prone to password disclosure via simple crafted request to the web
management server.

PoC:
====
https://127.0.0.1/goform/downloadConfigFile

This request doesnt require any authentication and will lead to saving the
femtoOamStore.db file.  The file is sqlite db file, the username and password
are stored in plain text in a table named "TABLE_SERVICE_INF".


Vendor Response:
Non-responsive

Remediation Steps:
No patches or workarounds for these issues are currently available 

Revision History:
02/15/2019 - Vendor contacted with no response
03/28/2019 - Vendor contacted with no response
07/31/2019 - Vendor contacted with no response
09/10/2019 - Advisory published


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.