Don't Ruck Us Too Hard - Owning All of Ruckus AP Devices

Explore vulnerability research conducted on Ruckus access points and Wi-Fi controllers, revealing three pre-authentication remote code execution exploits. Delve into the exploitation of various vulnerabilities, including information leaks, authentication bypasses, command injections, path traversals, stack overflows, and arbitrary file read/write operations. Examine the 10 confirmed CVEs filed for this research and learn about the framework used, including a Ghidra script and dockerized QEMU full system emulation for cross-architecture research. Gain insights into the extensive testing of 33 different access point firmware and Wi-Fi controllers, all found to be vulnerable. Discover the speaker's background in vulnerability research and embedded systems, as well as their interests outside of cybersecurity.

Intro
Ruckus Networks Equipment
echo SUSER
R510 Unleashed
Firmware
Dockerized QEMU
Server Web Directory
Fetching rpmkey
CLI Jailbreak
Retrieving functions names
Web interface - authentication mechanism
Web interface - Session check
Standard ajax request
Unauth ajax request
Exploitation
What about command injection?
sys_wrapper.sh
Weird stuff
Session needed
Zap to the rescue
Arbitrarily file write
Zapd server
Zap command
Chained vulnerabilities
Conclusions
Post Research
Final thoughts