Dear ladies and gentlemen,

I am a proud user of the Pinnacle ShowCenter 1.51. When I was playing 
around with the system, it seems I have found a denial of service attack 
against the web interface.

First I did manually a HTTP GET request that selects a non-existent 
skin: http://192.168.0.11:8000/ShowCenter/SettingsBase.php?Skin=ATK

Afterwards I was not able to use the web interface anymore. I always get 
PHP warnings and fatal errors for every GET request I want to do (german 
Windows XP used):

--- cut ---

Warning: 
loaduserprofile(C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/Term/Name.inc.php): 
failed to open stream: No such file or directory in 
C:\Programme\Pinnacle\ShowCenter\DocPath\Classes\User.inc.php on line 85

Fatal error: loaduserprofile(): Failed opening required 
'C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/Term/Name.inc.php' 
(include_path='.;C:\Programme\Pinnacle\ShowCenter\DocPath') in 
C:\Programme\Pinnacle\ShowCenter\DocPath\Classes\User.inc.php on line 85

--- cut ---

I was not able to fix this within a few minutes. Editing the user 
profiles or using an old one was not sucessfull. It seems there has been 
something overwritten the user is not easily able to undo.

The surprise was, that the Pinnacle device was able to get the data as 
usual. I tought this has to do with the source IP address because the 
Pinnacle device and my testing machine have not had the same IP address. 
I changed these to see the difference but there was none. I also tought 
the hidden user profile has something to do with the HTTP_USER_AGENT 
variant sent by the web browser. I was not able to succeed with using 
different web browsers.

An attacker (in the same segment as the Pinnacle ShowCenter web server 
is) may be able to stop the server by sending a corrupt request as I 
described before. I wrote as proof-of-concept an exploit plugin for 
Attack Tool Kit (ATK), an open-source vulnerability scanner and 
exploiting tool[1]. Plugin 219 is able to detect the Pinnacle ShowCenter 
Server[2] and 220 is able to run the denial of service attack[3].

Pinnacle has been informed on 2004/09/14 with an email to 
info@pinnaclesys.com but I haven't get any reply yet. I hope they fix 
this vulnerability in an upcoming software release (e.g. a more careful 
input validation and connection limitation in 
C:\Programme\Pinnacle\Shared Files\Programs\StrmServer\StrmServer.ini).

A possible fix requires some manual hacking. Resetting the skin name by 
using another HTTP GET request for an existing skin as like 
http://192.168.0.11:8000/ShowCenter/SettingsBase.php?Skin=DefaultXL does 
not work. Thus, check the path given in the warning. If this is 
C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/ATK/Name.inc.php you can 
copy or rename another profile in the path ATK to provide the needed 
files. After resetting an existent skin you can delete the temp skin 
directory.

Regards,

Marc Ruef

[1] http://www.computec.ch/projekte/atk/
[2] 
http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20detection.plugin.html
[3] 
http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20skin%20denial%20of%20service.plugin.html

(Attention: Long links may be broken!)

-- 
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/