Conference logo

Don't Ruck Us Too Hard - Owning Ruckus AP Devices - Gal Zror

36c3 - Security - 12/28/2019

Ruckus Networks is a company selling wired and wireless networking equipment and software. This talk presents vulnerability research conducted on Ruckus access points and WiFi controllers, which resulted in 3 different pre-authentication remote code execution. Exploitation used various vulnerabilities such as information leak, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write. Throughout the research, 33 different access points firmware examined, and all of them were found vulnerable. This talk also introduces and shares the framework used in this research. That includes a Ghidra script and a dockerized QEMU full system emulation for easy cross-architecture research setup.
Here's a fun fact: BlackHat USA 2019 used Ruckus Networks access points.

Presentation Outline:
This talk demonstrates 3 remote code executions and the techniques used to find and exploit them.
It overviews Ruckus equipment and their attack surfaces. Explain the firmware analysis and emulation prosses using our dockerized QEMU full system framework.
-Demonstrate the first RCE and its specifics. Describe the webserver logic using Ghidra decompiler and its scripting environment.
-Demonstrate the second RCE using stack overflow vulnerability.
-Lastly, demonstrate the third RCE by using a vulnerability chaining technique.
All Tools used in this research will be published.

Share this talk:
https://c3stream.de/Info?guid=4d3166b6-77ec-47b2-b70f-d7f656ea9427