• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • Infocad Facility Management CVE-2018-13789 Unauthenticated webservice allows retrieval of arbitrary files

    09-10-2018

     

    CVEID: CVE-2018-13789
    CVSS: 9.3(Critical) 
    AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L/RL:O

    Affected Products and Versions: Infocad FM – v. 2016.1.5.0, Infocad FM – Version(s) < v3.1.0.0


    Executive Summary

    A critical vulnerability was discovered in Descor Infocad FM v2016.1.5.0 through v3.1.0.0,
    the unauthenticated web service GlobalReaderWCF allows the download of arbitrary files from local disks and remote SMB shares via an unsanitized user-controlled field.
    Depending on the version, configuration files with clear-text passwords can be retrieved (version < 3.1.0.0),
    also depending on the host configuration and whether or not the machine is joined to a domain, ntlm relay attacks may be possible.

    Additional Information
    Most of the web services exposed by the application require a
    “LoginKey” which is provided after Successful authentication, there
    are however two functions of a web service which don’t.

    The function “GetUpdateReport” from the GlobalReaderWCF webservice provides a full list of the components and versions used by the
    application, the “GetUpdate” function instead allows the download of file via an unsanitized
    user-input. Since the application runs on Windows (.NET framework),
    other protocols are available to access the files, such as SAMBA. This
    allows the attacker to redirect the retrieval of a file towards an
    attacker-controlled server and ultimately allows attacks such as “Pass the hash” or relay attacks.

    Remediation: Upgrade to Infocad FM v3.1.0.0

    Timeline:
    15/06/2018 – Initial vendor contact
    19/06/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure
    06/08/2018 – Vendor released a fixed version (3.1.0.0)
    09/10/2018 – Advisory published

    Discoverer:  Panfilo Salutari <p.salutari@quantumleap.it>

    Reference:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13789
    http://www.infocad.fm/
    http://www.descor.com/
    https://www.owasp.org/index.php/Broken_Access_Control