Infocad Facility Management CVE-2018-13789 Unauthenticated webservice allows retrieval of arbitrary files
Affected Products and Versions: Infocad FM – v. 2016.1.5.0, Infocad FM – Version(s) < v220.127.116.11
A critical vulnerability was discovered in Descor Infocad FM v2016.1.5.0 through v18.104.22.168,
the unauthenticated web service GlobalReaderWCF allows the download of arbitrary files from local disks and remote SMB shares via an unsanitized user-controlled field.
Depending on the version, configuration files with clear-text passwords can be retrieved (version < 22.214.171.124),
also depending on the host configuration and whether or not the machine is joined to a domain, ntlm relay attacks may be possible.
Most of the web services exposed by the application require a
“LoginKey” which is provided after Successful authentication, there
are however two functions of a web service which don’t.
The function “GetUpdateReport” from the GlobalReaderWCF webservice provides a full list of the components and versions used by the
application, the “GetUpdate” function instead allows the download of file via an unsanitized
user-input. Since the application runs on Windows (.NET framework),
other protocols are available to access the files, such as SAMBA. This
allows the attacker to redirect the retrieval of a file towards an
attacker-controlled server and ultimately allows attacks such as “Pass the hash” or relay attacks.
Remediation: Upgrade to Infocad FM v126.96.36.199
15/06/2018 – Initial vendor contact
19/06/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure
06/08/2018 – Vendor released a fixed version (188.8.131.52)
09/10/2018 – Advisory published
Discoverer: Panfilo Salutari <firstname.lastname@example.org>