CVE-2023–25717 RCE Hunt.

The journey to find the websites or ip addresses that are using the vulnerable version of Ruckus, begins at the gates of Shodan. It provides crucial information about various systems, including open ports, vulnerabilities, and services running on specific IP addresses or websites like Ruckus.

The Ruckus admin interface typically offers a user-friendly interface with intuitive controls and comprehensive tools to simplify the management and maintenance of Ruckus wireless networks. Unfortunately, cyber security researchers and ethical hackers found an RCE vulnerability within the login request.

By employing a carefully constructed search query on Shodan, a list of IP addresses running Ruckus was successfully revealed.

Thanks to the Shodan API, which enables flexible usage of Shodan within the terminal, I successfully obtained a download of all IP addresses, including the new patched version ( > 10.4). To filter out only the patched versions, I employed Httpx, which helped me identify and separate them from the rest. This ensured that I focused on those systems that are outdated.

“-mwc” means “match word count” 17. It refers to the vulnerable version of Ruckus, which gives a response containing 17 words count. The updated version, on the other hand, has a response with a word count of 13

I also used Hakrevdns, It allowed me to input a list of IP addresses, and it automated the process of querying DNS servers for reverse DNS information. It quickly resolves the IP addresses to their corresponding hostnames.

Utilizing this data, I passively identified the IP addresses of various companies, enabling me to determine which ones are running a Vulnerability Disclosure Program.

To be ethical and fair, I made sure to ask for permission before doing anything to the identified companies. I didn’t take advantage of them without their agreement. Respecting their rights and giving them the choice was the right thing to do.

However, it’s important to note that according to the CISA Warning, the proof of concept for this vulnerability is simple and can be exploited by intercepting the login request. There is a vulnerability in how the system handles certain parameters, which can be exploited using Commix.

When Commix successfully exploits an RCE vulnerability, the ethical hacker gains a remote command shell or control interface on the target system. This shell allows to execute commands, explore the system, and potentially access sensitive information.

Thanks to the Cybersecurity and Infrastructure Security Agency (CISA) for issuing a warning to raise awareness among the public…