Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Don't Ruck Us Too Hard - Owning All of Ruckus AP Devices

nullcon via YouTube

Overview

Explore vulnerability research conducted on Ruckus access points and Wi-Fi controllers, revealing three pre-authentication remote code execution exploits. Delve into the exploitation of various vulnerabilities, including information leaks, authentication bypasses, command injections, path traversals, stack overflows, and arbitrary file read/write operations. Examine the 10 confirmed CVEs filed for this research and learn about the framework used, including a Ghidra script and dockerized QEMU full system emulation for cross-architecture research. Gain insights into the extensive testing of 33 different access point firmware and Wi-Fi controllers, all found to be vulnerable. Discover the speaker's background in vulnerability research and embedded systems, as well as their interests outside of cybersecurity.

Syllabus

Intro
Ruckus Networks Equipment
echo SUSER
R510 Unleashed
Firmware
Dockerized QEMU
Server Web Directory
Fetching rpmkey
CLI Jailbreak
Retrieving functions names
Web interface - authentication mechanism
Web interface - Session check
Standard ajax request
Unauth ajax request
Exploitation
What about command injection?
sys_wrapper.sh
Weird stuff
Session needed
Zap to the rescue
Arbitrarily file write
Zapd server
Zap command
Chained vulnerabilities
Conclusions
Post Research
Final thoughts

Taught by

nullcon

Reviews

Start your review of Don't Ruck Us Too Hard - Owning All of Ruckus AP Devices

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.