Infocad facility management cve-2018-13789 unauthenticated webservice allows retrieval of arbitrary files


CVEID: CVE-2018-13789
CVSS: 9.3(Critical) 

Affected Products and Versions: Infocad FM – v. 2016.1.5.0, Infocad FM – Version(s) < v3.1.0.0

Executive Summary

A critical vulnerability was discovered in Descor Infocad FM v2016.1.5.0 through v3.1.0.0,
the unauthenticated web service GlobalReaderWCF allows the download of arbitrary files from local disks and remote SMB shares via an unsanitized user-controlled field.
Depending on the version, configuration files with clear-text passwords can be retrieved (version <,
also depending on the host configuration and whether or not the machine is joined to a domain, ntlm relay attacks may be possible.

Additional Information
Most of the web services exposed by the application require a
“LoginKey” which is provided after Successful authentication, there
are however two functions of a web service which don’t.

The function “GetUpdateReport” from the GlobalReaderWCF webservice provides a full list of the components and versions used by the
application, the “GetUpdate” function instead allows the download of file via an unsanitized
user-input. Since the application runs on Windows (.NET framework),
other protocols are available to access the files, such as SAMBA. This
allows the attacker to redirect the retrieval of a file towards an
attacker-controlled server and ultimately allows attacks such as “Pass the hash” or relay attacks.

Remediation: Upgrade to Infocad FM v3.1.0.0

15/06/2018 – Initial vendor contact
19/06/2018 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure
06/08/2018 – Vendor released a fixed version (
09/10/2018 – Advisory published

Discoverer:  Panfilo Salutari <>


L'hai trovato interessante?