On August 8th, Gal Zror from the HCL AppScan Aleph cyber-security team will present a DEF CON session titled, “Don’t Ruck Us Again – The Exploit Returns.”

This session will cover Gal’s follow up research to an initial vulnerability he discovered related to Ruckus Wireless’ “ZoneDirector” and “Unleashed” routers, presented at the 36th annual Chaos Communication Congress. The researchers examined the firmware of 33 different Ruckus access points, all of which were found to be vulnerable.

Three attack scenarios were discovered:

  1. A web interface credential disclosure and CLI jailbreak to obtain a root shell on the access point.
  2. A stack overflow in the ‘zap’ executable that was made possible by sending an unauthenticated HTTP request to the web interface.
  3. An arbitrary file write using the ‘zap’ executable that can create a new ‘jsp’ page that does not require authentication and is vulnerable to command injection.

“Some of these vulnerabilities are really straightforward,” Zror told SecurityWeek. “The first one, for example, is simple to execute.”

As noted by TechCrunch, if attackers find and take advantage of vulnerabilities in the router’s software, they can control the device and gain access to the wider internal network, exposing computers and other devices to hacks and data theft. Zror explains that because many of the routers are accessible from the internet, they make “very good candidates for botnets.” That’s when an attacker forcibly enlists a vulnerable router — or any other internet-connected device — into its own distributed network, controlled by a malicious actor, which can be collectively told to pummel websites and other networks with massive amounts of junk traffic, knocking them offline. There are “thousands” of vulnerable Ruckus routers on the internet.

Zror’s follow-up research includes six new vulnerabilities, such as command injection, information leakage, credentials overwrite, stack overflow and Cross-Site Scripting (XSS). With these vulnerabilities, he was able to detect two new and different pre-auth Remote Code Execution attacks (RCEs). Combined with his first research, Zror has uncovered five entirely different RCEs in total. He also found that Ruckus did not fix some of the vulnerabilities from the first research correctly, and they are still exploitable by using a very neat payload.

90% of attacked devices are routers and connected cameras, according to a 2019 Symantec Internet Security Threat Report (ISTR).

Once a router is hacked, your entire business network and anything connected to it is at risk. According to the University of Maryland, malicious hackers are now attacking computers and networks at a rate of one attack every 39 seconds.

Securing wireless endpoints is paramount in reducing cyber-attacks, but the odds are that hackers will gain access, especially given the larger attack surface created by the unique circumstances in 2020. Consider a multi-layered device, DevOps and AppSec approach that includes application security testing measures that minimize the potential risk of OWASP Top 10 vulnerabilities, such as Injection and Cross-Site Scripting (XSS).

You can test-drive HCL AppScan on Cloud here.

Comment wrap
Further Reading
Secure DevOps | September 1, 2020
HCL AppScan – The New Hybrid Security Employee
By reading this blog, you're learn the key traits and multi-disciplinary areas of focus that are required for hybrid security professionals to succeed.
Secure DevOps | September 1, 2020
HCL AppScan – Assure Continuous Security
In the 4th and final blog in our Continous Security blogging series, we focus on the Assure theme & its capabilities of Measure & Audit.
Secure DevOps | August 24, 2020
Leverage IAST to Empower Your Application Security Testing Program
Adopt IAST as part of your SDLC & find out about about mission-critical use-cases that could significantly impact your organization's DevOps program.
a/icon/common/search Created with Sketch.