logo

Don't Ruck Us Again - The Exploit Returns

Conference:  Defcon 28

2020-08-01

Summary

The speaker presented their research on vulnerabilities in Ruckus Networks' firmware and demonstrated two pre-off rces: a stack buffer overflow and a command injection with credential override. They also shared a Jira script they wrote to extract function names from log strings in binaries and from embedded sources in open source projects.
  • The speaker demonstrated two pre-off rces in Ruckus Networks' firmware: a stack buffer overflow and a command injection with credential override
  • They shared a Jira script they wrote to extract function names from log strings in binaries and from embedded sources in open source projects
  • The Jira script helped the speaker retrieve plenty of information and save time and effort on reversing
  • The speaker is in the progress of writing a generic version of the script that won't rely on specific debug information
  • The speaker found another stack overflow vulnerability that was reachable with unauthenticated web requests
The speaker demonstrated the command injection with credential override by showing how they overrode the credentials and obtained root access to the device. They also shared their payload and showed how they used a new command injection to open a port on the device. The speaker emphasized the importance of updating firmware to avoid being a victim of serious vulnerabilities.

Abstract

"From the researchers who brought to you ""Don't Ruck Us Too Hard"" comes a brand new follow-up research. This summer! We will show that all of Ruckus Wireless ""ZoneDirector"" and the ""Unleashed"" devices are still vulnerable. This follow-up research includes six new vulnerabilities, such as command injection, information leakage, credentials overwrite, and stack overflow and XSS. With these vulnerabilities, we were able to achieve two new and different pre-auth RCEs. Combined with the first research, that is five entirely different RCEs in total. We also found that Ruckus did not fix some of the vulnerabilities from the first research correctly, and they are still exploitable by using a very neat payload :). Other cool stuff about this research: We will share a new Ghidra script we used to map the critical sections in the webserver binary that were later found vulnerable. We managed to fingerprinted Universities and Organizations that were vulnerable from the internet. BlackHat uses Ruckus Wireless for Wi-Fi solutions."

Materials:

Tags: