Dear ladies and gentlemen, I am a proud user of the Pinnacle ShowCenter 1.51. When I was playing around with the system, it seems I have found a denial of service attack against the web interface. First I did manually a HTTP GET request that selects a non-existent skin: http://192.168.0.11:8000/ShowCenter/SettingsBase.php?Skin=ATK Afterwards I was not able to use the web interface anymore. I always get PHP warnings and fatal errors for every GET request I want to do (german Windows XP used): --- cut --- Warning: loaduserprofile(C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/Term/Name.inc.php): failed to open stream: No such file or directory in C:\Programme\Pinnacle\ShowCenter\DocPath\Classes\User.inc.php on line 85 Fatal error: loaduserprofile(): Failed opening required 'C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/Term/Name.inc.php' (include_path='.;C:\Programme\Pinnacle\ShowCenter\DocPath') in C:\Programme\Pinnacle\ShowCenter\DocPath\Classes\User.inc.php on line 85 --- cut --- I was not able to fix this within a few minutes. Editing the user profiles or using an old one was not sucessfull. It seems there has been something overwritten the user is not easily able to undo. The surprise was, that the Pinnacle device was able to get the data as usual. I tought this has to do with the source IP address because the Pinnacle device and my testing machine have not had the same IP address. I changed these to see the difference but there was none. I also tought the hidden user profile has something to do with the HTTP_USER_AGENT variant sent by the web browser. I was not able to succeed with using different web browsers. An attacker (in the same segment as the Pinnacle ShowCenter web server is) may be able to stop the server by sending a corrupt request as I described before. I wrote as proof-of-concept an exploit plugin for Attack Tool Kit (ATK), an open-source vulnerability scanner and exploiting tool[1]. Plugin 219 is able to detect the Pinnacle ShowCenter Server[2] and 220 is able to run the denial of service attack[3]. Pinnacle has been informed on 2004/09/14 with an email to info@pinnaclesys.com but I haven't get any reply yet. I hope they fix this vulnerability in an upcoming software release (e.g. a more careful input validation and connection limitation in C:\Programme\Pinnacle\Shared Files\Programs\StrmServer\StrmServer.ini). A possible fix requires some manual hacking. Resetting the skin name by using another HTTP GET request for an existing skin as like http://192.168.0.11:8000/ShowCenter/SettingsBase.php?Skin=DefaultXL does not work. Thus, check the path given in the warning. If this is C:\Programme\Pinnacle\ShowCenter\DocPath/Skin/ATK/Name.inc.php you can copy or rename another profile in the path ATK to provide the needed files. After resetting an existent skin you can delete the temp skin directory. Regards, Marc Ruef [1] http://www.computec.ch/projekte/atk/ [2] http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20detection.plugin.html [3] http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20skin%20denial%20of%20service.plugin.html (Attention: Long links may be broken!) -- Computer, Technik und Security http://www.computec.ch/ Meine private Webseite http://www.computec.ch/mruef/