Gal Zror

Robert-Lipovsky

Talk Title:

Don't Ruck Us Too Hard - Owning All of Ruckus AP devices

Abstract:

Ruckus Networks is a company selling wired and wireless networking equipment and software.

This talk presents vulnerability research conducted on Ruckus access points and wi-fi controllers, which resulted in 3 different pre-authentication remote code execution. Exploitation used various vulnerabilities such as information leak, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write. Ruckus has confirmed all 10 CVEs we field for this research (CVE-2019-19834 - 19843).

Throughout the research, 33 different access points firmware and wi-fi controllers examined, all of them were found vulnerable. This talk also introduces and shares the framework used in this research. That includes a Ghidra script and a dockerized QEMU full system emulation for easy cross-architecture research setup.

Detailed Outline:

This talk demonstrates 3 remote code executions and the techniques used to find and exploit them.

It overviews Ruckus equipment and their attack surfaces. Explain the firmware analysis and emulation prosses using our dockerized QEMU full system framework.

-Demo #1 - RCE using credential leakage with CLI jailbreak.

-Demo #2 - RCE suing stack buffer overflow without authentication.

-Describe the web interface logic using the Ghidra decompiler and its scripting environment.

-Demo #3 - RCE using vulnerability chaining of command injection with the authentication bypass

All Tools used in this research were published.

Bio:

Gal Zror is a research team leader in Aleph Research group at HCL AppScan which based in Heyzliya Israel. Gal has extensive experience with vulnerability research and specialized in embedded systems and protocols. Gal is also an amateur boxer and a tiki culture enthusiastic.

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved