Don't Ruck Us Too Hard - Owning Ruckus AP Devices

3 different RCE vulnerabilities on Ruckus Wireless access points devices.

Gal Zror

Playlists: '36c3' videos starting here / audio

Ruckus Networks is a company selling wired and wireless networking equipment and software. This talk presents vulnerability research conducted on Ruckus access points and WiFi controllers, which resulted in 3 different pre-authentication remote code execution. Exploitation used various vulnerabilities such as information leak, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write. Throughout the research, 33 different access points firmware examined, and all of them were found vulnerable. This talk also introduces and shares the framework used in this research. That includes a Ghidra script and a dockerized QEMU full system emulation for easy cross-architecture research setup.
Here's a fun fact: BlackHat USA 2019 used Ruckus Networks access points.

Presentation Outline:
This talk demonstrates 3 remote code executions and the techniques used to find and exploit them.
It overviews Ruckus equipment and their attack surfaces. Explain the firmware analysis and emulation prosses using our dockerized QEMU full system framework.
-Demonstrate the first RCE and its specifics. Describe the webserver logic using Ghidra decompiler and its scripting environment.
-Demonstrate the second RCE using stack overflow vulnerability.
-Lastly, demonstrate the third RCE by using a vulnerability chaining technique.
All Tools used in this research will be published.

Download

These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.

Embed

Share:

Tags