IdeaRE RefTree versions prior to 2021.09.17 suffer from a remote shell upload vulnerability.
advisories | CVE-2022-27249
title: IdeaRE RefTree Remote Code Execution
product: IdeaRE RefTree < 2021.09.17
vulnerability type: Unrestricted File Upload
CVE ID: CVE-2022-27249
CVSSv3 score: 8.8
CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
by: Savino Sisco [email protected]
RefTree is a web application made for managing complex real estate situations.
Among other features, it offers the possibility for authenticated users
to upload and download DWG (CAD drawings) files for buildings.
During a penetration test activity, an "Unrestricted File Upload" vulnerability
was found which leverages the upload feature to upload a file anywhere on the
By uploading a malicious web page, like an aspx web shell, to the server's
web root it is possible to achive code execution by just navigating to the
malicious page with a web browser.
IdeaRE RefTree < 2021.09.17
It is possible to reproduce the issue following these steps:
1. Log into the application to get a valid session cookie
2. Get a valid "ObjId" from the application (the ID of a building to associate
the file to)
3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'
to upload a file on the target system, for example a web shell in the
server's web root
4. Navigate to the new page with a web browser to trigger code execution
Example of the HTTP request to the Upload endpoint:
POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
Date: Fri, 10 Sep 2021 15:00:53 GMT
The following CVE ID was allocated to track the vulnerabilities:
2021-09-13 Vulnerability disclosed to our customer and the vendor.
Vendor acknowledged the issue.
2021-09-17 Vendor released a fix for the software.
2021-10-15 The vulnerability was rechecked in the newer version to confirm
that is was indeed fixed.
2022-03-15 Researcher requested to publicly disclose the issue; public
Update the software to a version >= 2021.09.17
Savino Sisco <[email protected]>