36C3 - Don't Ruck Us Too Hard - Owning Ruckus AP Devices

Title:
36C3 - Don't Ruck Us Too Hard - Owning Ruckus AP Devices
Description:

https://media.ccc.de/v/36c3-10816-don_t_ruck_us_too_hard_-_owning_ruckus_ap_devices

3 different RCE vulnerabilities on Ruckus Wireless access points devices.

Ruckus Networks is a company selling wired and wireless networking equipment and software. This talk presents vulnerability research conducted on Ruckus access points and WiFi controllers, which resulted in 3 different pre-authentication remote code execution. Exploitation used various vulnerabilities such as information leak, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write. Throughout the research, 33 different access points firmware examined, and all of them were found vulnerable. This talk also introduces and shares the framework used in this research. That includes a Ghidra script and a dockerized QEMU full system emulation for easy cross-architecture research setup.
Here's a fun fact: BlackHat USA 2019 used Ruckus Networks access points.

Presentation Outline:
This talk demonstrates 3 remote code executions and the techniques used to find and exploit them.
It overviews Ruckus equipment and their attack surfaces. Explain the firmware analysis and emulation prosses using our dockerized QEMU full system framework.
-Demonstrate the first RCE and its specifics. Describe the webserver logic using Ghidra decompiler and its scripting environment.
-Demonstrate the second RCE using stack overflow vulnerability.
-Lastly, demonstrate the third RCE by using a vulnerability chaining technique.
All Tools used in this research will be published.

Gal Zror

https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10816.html

more » « less
Video Language:
English
Duration:
48:40
http://www.youtube.com/watch?v=bmGtG55Zz1Q
Format: Youtube
Primary
Original
Added   by C3Subtitles
Format: Youtube
Primary
Original
http://www.youtube.com/watch?v=YlyF8QWCXds
Format: Youtube
Added   by C3Subtitles
Format: Youtube
This video is part of Amara Public.

Subtitles download

Incomplete subtitles (1)