🔐Ubiquiti *.supp file decryption key found, method to inspect support and configuration packages

Ubiquiti's UniFi Controller is a powerful network management platform that provides comprehensive control over UniFi networking devices. I recently moved my Dockerised UniFi image from being on-prem to being in the cloud to simplify my home network and reduce the number of network equipment here.

Whilst doing this, however, I came across some issues that meant that my on-prem config backup was unable to be read by my controller in the cloud. To begin trying to troubleshoot why this unknown error was being echoed into the container logs, I contacted Ubiquiti to try see if they had any ideas. They naturally requested a copy of my cloud instance's network support package. Being concious of possible compromise of security keys, RADIUS credentials, and other private secrets to an unknown entity via un-encrypted email I wanted to know what was in the support package before I sent it off.

After grabbing the network_support_dd-mm-yyyy.supp file from my controller, I inspected the file for any magic numbers to try ascertain what file format the file was in and to try easily identify if it was a simple zip container.

Image showing the first 50 bytes of the network support file, in effort to try identify the file using its File Signature

The first 20 bytes did not match any known file signature which suggests the file is a propietry file format known only by Ubiquiti or that the file is encrypted. A good method of determining the probability of a file being encrypted is by calculating the file's Shannon Entropy, i.e randomness of data:

Entropy (information theory)Wikipedia

Wikipedia article re: file entropy

After analysing the *.supp package, it's entropy came out being very high. This usually indicates the file is encrypted or heavily obfuscated.

After seeing that the file entropy was high, I started to dig about the internet for possible exploits in Ubiquiti's software, when I came across the following Ubiquiti MetaSploit Framework package.

Module: Msf::Auxiliary::Ubiquiti — Documentation by YARD 0.9.34

Link to MetaSploit documentation

Screenshot of the source code (and key/initialisation vector🎉) for the above metasploit package

As we have discovered the key, encryption cipher, and initialisation vector for the encrypted package -- we can start to decypt and inspect the file's contents further.

Screenshot of obtaining the hexadecimal values of the password and IV to pass to OpenSSL below

Using OpenSSL, we can decrypt the file using the following structured command:

terminal

./openssl enc -d -in network_support_dd-mm-yyyy.supp -out network_support_dd-mm-yyyy.supp.out -aes-128-cbc -K 626379616e676b6d6c756f686d617273 -iv 75626e74656e74657270726973656170 -nosalt -nopad

This will leave us with a network_support_dd-mm-yyyy.supp.out file in the current working directory. Then, again analysing the file for clues on it's format, we can identify the resultant file signature is that of a standard ZIP file:

Finally, a file signature that is recognisable, 50 4B 03 04, the defined file signature for ZIP

When trying to view the contents of the zip, it seems as though the extracted zip is corrupt as multiple exports reared the same issue:

Renaming the decrypted file to append the .zip extension and then trying to extract with Expand-Archive results in an error that means I am unable to extract via CLI.

As seen above, an issue with the compression occurs on UniFI controllers which makes the end of the archive corrupt. This however, does not lead to any noticeable loss of data from the archive. I managed to extract the data successfully with 7Zip without error and results in the following directory tree:

Image showing inside the support file, after decrypting and uncompressing

To confirm these files are readable, I exported them to a folder and thankfully, plaintext data is shown and readable:

Screenshot showing the directory tree of the exported archive and the plaintext contents of one of the support files