Pinnacle ShowCenter Skin Denial of Service
Dear ladies and gentlemen,
I am a proud user of the Pinnacle ShowCenter 1.51. When I was playing
around with the system, it seems I have found a denial of service attack
against the web interface.
First I did manually a HTTP GET request that selects a non-existent
skin: http://192.168.0.11:8000/ShowCenter/SettingsBase.php?Skin=ATK
Afterwards I was not able to use the web interface anymore. I always get
PHP warnings and fatal errors for every GET request I want to do (german
Windows XP used):
--- cut ---
Warning:
loaduserprofile(C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/Term/Name.inc.php):
failed to open stream: No such file or directory in
C:\Programme\Pinnacle\ShowCenter\DocPath\Classes\User.inc.php on line 85
Fatal error: loaduserprofile(): Failed opening required
'C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/Term/Name.inc.php'
(include_path='.;C:\Programme\Pinnacle\ShowCenter\DocPath') in
C:\Programme\Pinnacle\ShowCenter\DocPath\Classes\User.inc.php on line 85
--- cut ---
I was not able to fix this within a few minutes. Editing the user
profiles or using an old one was not sucessfull. It seems there has been
something overwritten the user is not easily able to undo.
The surprise was, that the Pinnacle device was able to get the data as
usual. I tought this has to do with the source IP address because the
Pinnacle device and my testing machine have not had the same IP address.
I changed these to see the difference but there was none. I also tought
the hidden user profile has something to do with the HTTP_USER_AGENT
variant sent by the web browser. I was not able to succeed with using
different web browsers.
An attacker (in the same segment as the Pinnacle ShowCenter web server
is) may be able to stop the server by sending a corrupt request as I
described before. I wrote as proof-of-concept an exploit plugin for
Attack Tool Kit (ATK), an open-source vulnerability scanner and
exploiting tool[1]. Plugin 219 is able to detect the Pinnacle ShowCenter
Server[2] and 220 is able to run the denial of service attack[3].
Pinnacle has been informed on 2004/09/14 with an email to
info@xxxxxxxxxxxxxxx but I haven't get any reply yet. I hope they fix
this vulnerability in an upcoming software release (e.g. a more careful
input validation and connection limitation in
C:\Programme\Pinnacle\Shared Files\Programs\StrmServer\StrmServer.ini).
A possible fix requires some manual hacking. Resetting the skin name by
using another HTTP GET request for an existing skin as like
http://192.168.0.11:8000/ShowCenter/SettingsBase.php?Skin=DefaultXL does
not work. Thus, check the path given in the warning. If this is
C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/ATK/Name.inc.php you can
copy or rename another profile in the path ATK to provide the needed
files. After resetting an existent skin you can delete the temp skin
directory.
Regards,
Marc Ruef
[1] http://www.computec.ch/projekte/atk/
[2]
http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20detection.plugin.html
[3]
http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20skin%20denial%20of%20service.plugin.html
(Attention: Long links may be broken!)
--
Computer, Technik und Security http://www.computec.ch/
Meine private Webseite http://www.computec.ch/mruef/