On August 8th, Gal Zror from the HCL AppScan Aleph cyber-security team will present a DEF CON session titled, “Don’t Ruck Us Again – The Exploit Returns.”
This session will cover Gal’s follow up research to an initial vulnerability he discovered related to Ruckus Wireless’ “ZoneDirector” and “Unleashed” routers, presented at the 36th annual Chaos Communication Congress. The researchers examined the firmware of 33 different Ruckus access points, all of which were found to be vulnerable.
Three attack scenarios were discovered:
- A web interface credential disclosure and CLI jailbreak to obtain a root shell on the access point.
- A stack overflow in the ‘zap’ executable that was made possible by sending an unauthenticated HTTP request to the web interface.
- An arbitrary file write using the ‘zap’ executable that can create a new ‘jsp’ page that does not require authentication and is vulnerable to command injection.
“Some of these vulnerabilities are really straightforward,” Zror told SecurityWeek. “The first one, for example, is simple to execute.”
As noted by TechCrunch, if attackers find and take advantage of vulnerabilities in the router’s software, they can control the device and gain access to the wider internal network, exposing computers and other devices to hacks and data theft. Zror explains that because many of the routers are accessible from the internet, they make “very good candidates for botnets.” That’s when an attacker forcibly enlists a vulnerable router — or any other internet-connected device — into its own distributed network, controlled by a malicious actor, which can be collectively told to pummel websites and other networks with massive amounts of junk traffic, knocking them offline. There are “thousands” of vulnerable Ruckus routers on the internet.
Zror’s follow-up research includes six new vulnerabilities, such as command injection, information leakage, credentials overwrite, stack overflow and Cross-Site Scripting (XSS). With these vulnerabilities, he was able to detect two new and different pre-auth Remote Code Execution attacks (RCEs). Combined with his first research, Zror has uncovered five entirely different RCEs in total. He also found that Ruckus did not fix some of the vulnerabilities from the first research correctly, and they are still exploitable by using a very neat payload.
90% of attacked devices are routers and connected cameras, according to a 2019 Symantec Internet Security Threat Report (ISTR).
Once a router is hacked, your entire business network and anything connected to it is at risk. According to the University of Maryland, malicious hackers are now attacking computers and networks at a rate of one attack every 39 seconds.
Securing wireless endpoints is paramount in reducing cyber-attacks, but the odds are that hackers will gain access, especially given the larger attack surface created by the unique circumstances in 2020. Consider a multi-layered device, DevOps and AppSec approach that includes application security testing measures that minimize the potential risk of OWASP Top 10 vulnerabilities, such as Injection and Cross-Site Scripting (XSS).
You can test-drive HCL AppScan on Cloud here.