From the researchers who brought to you “Don’t Ruck Us Too Hard” comes a brand new follow-up research. This summer! We will show that all of Ruckus Wireless “ZoneDirector” and the “Unleashed” devices are still vulnerable.
This follow-up research includes six new vulnerabilities, such as command injection, information leakage, credentials overwrite, and stack overflow and XSS. With these vulnerabilities, we were able to achieve two new and different pre-auth RCEs. Combined with the first research, that is five entirely different RCEs in total. We also found that Ruckus did not fix some of the vulnerabilities from the first research correctly, and they are still exploitable by using a very neat payload :).
Other cool stuff about this research:
We will share a new Ghidra script we used to map the critical sections in the webserver binary that were later found vulnerable.
We managed to fingerprinted Universities and Organizations that were vulnerable from the internet.
BlackHat uses Ruckus Wireless for Wi-Fi solutions.
Gal Zror is a research team leader in Aleph Research group at HCL AppScan, based in Herzliya Israel. Gal has extensive experience with vulnerability research and specialized in embedded systems and protocols. Gal is also an amateur boxer and a tiki culture enthusiast.
Level 0, Red Team Village