QUOTE
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 32559 invoked from network); 5 Feb 2003 11:57:25 -0000
Date: Wed, 5 Feb 2003 12:58:07 +0000
From: Auriemma Luigi <aluigi@pivx.com>
To: bugtraq@securityfocus.com
Subject: Unreal engine: results of my research
Message-Id: <20030205125807.757ecbc8.aluigi@pivx.com>
Organization: PivX
Mime-Version: 1.0
Content-Type: text/plain;
charset=US-ASCII
Content-Transfer-Encoding: 7bit
Status: R
X-Status: N
After almost 3 months, I have finally decided to release the huge
advisory/paper about bugs founded in the Unreal engine and all the relative
code for the vulnerabilities exploitation (plus some tools that I have
written during the reversing of the engine).
The link for get the english advisory is:
http://www.pivx.com/luigi/adv/ueng-adv.txt
And this is the link for the italian version:
http://www.pivx.com/luigi/adv/ueng-adv-ita.txt
The games interested by the vulnerabilities are really a lot and the
following is a list of games based on Unreal engine and that have
implemented its network engine:
- Star Trek: The Next Generation: Klingon Honor Guard
- Unreal
- The Wheel of Time
- Deus Ex
- Mobile Forces
- Rune
- Unreal Tournament
- Hired Guns
- Navy Seals
- TNN Outdoor Pro Hunter
- Werewolf
- X-Com: Alliance
- Adventure Pinball
- America's Army
- Unreal Tournament 2003
- future games (if the developers will not use a fixed
Unreal engine) like DeusEx2, Duke Nukem Forever,
Postal 2, Thief III and XIII just for example
The following is a very quick list of the bugs I have found:
1] Unreal engine doesn't have an handshake between client and server,
so an attacker can create DoS, DDoS and bounce attacks with spoofed
UDP packets.
2] Unreal engine uses challenge keys to identify each match but, I
don't know why, seems that the server doesn't really manage the
keys in the client's answers and furthermore it doesn't make other
checks to avoid an attacker easily adding faked players to the
server.
3] The Unreal engine has problems managing negative long numbers
(used for specify the size of data).
- If an attacker use negative numbers in network packets, the Unreal
server will allocate an amount of RAM that is equal to the number
without the sign or crash if the amount of bytes is greater than
the available memory.
- If the attacker uses package files (the maps for example) he can
easily execute code on the machine that launch the file, because
the bug used in package file allows the attacker to overwrite the
EIP register and upload all his code (no size limitations) in
memory.
4] Problems with Unreal URLs (unreal://...)
Unfortunally there are no patches at the moment because (as everyone can
understood) Epic Games after almost 3 months has not taken seriously these
problems and I am sorry for have waited too much time for release the
documents (Bugtraq timeout is less than a week and generally I wait maximum
1 month; 3 months are really too too much!)
BYEZ
---
PivX Security Researcher
http://www.pivx.com/luigi/
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 32559 invoked from network); 5 Feb 2003 11:57:25 -0000
Date: Wed, 5 Feb 2003 12:58:07 +0000
From: Auriemma Luigi <aluigi@pivx.com>
To: bugtraq@securityfocus.com
Subject: Unreal engine: results of my research
Message-Id: <20030205125807.757ecbc8.aluigi@pivx.com>
Organization: PivX
Mime-Version: 1.0
Content-Type: text/plain;
charset=US-ASCII
Content-Transfer-Encoding: 7bit
Status: R
X-Status: N
After almost 3 months, I have finally decided to release the huge
advisory/paper about bugs founded in the Unreal engine and all the relative
code for the vulnerabilities exploitation (plus some tools that I have
written during the reversing of the engine).
The link for get the english advisory is:
http://www.pivx.com/luigi/adv/ueng-adv.txt
And this is the link for the italian version:
http://www.pivx.com/luigi/adv/ueng-adv-ita.txt
The games interested by the vulnerabilities are really a lot and the
following is a list of games based on Unreal engine and that have
implemented its network engine:
- Star Trek: The Next Generation: Klingon Honor Guard
- Unreal
- The Wheel of Time
- Deus Ex
- Mobile Forces
- Rune
- Unreal Tournament
- Hired Guns
- Navy Seals
- TNN Outdoor Pro Hunter
- Werewolf
- X-Com: Alliance
- Adventure Pinball
- America's Army
- Unreal Tournament 2003
- future games (if the developers will not use a fixed
Unreal engine) like DeusEx2, Duke Nukem Forever,
Postal 2, Thief III and XIII just for example
The following is a very quick list of the bugs I have found:
1] Unreal engine doesn't have an handshake between client and server,
so an attacker can create DoS, DDoS and bounce attacks with spoofed
UDP packets.
2] Unreal engine uses challenge keys to identify each match but, I
don't know why, seems that the server doesn't really manage the
keys in the client's answers and furthermore it doesn't make other
checks to avoid an attacker easily adding faked players to the
server.
3] The Unreal engine has problems managing negative long numbers
(used for specify the size of data).
- If an attacker use negative numbers in network packets, the Unreal
server will allocate an amount of RAM that is equal to the number
without the sign or crash if the amount of bytes is greater than
the available memory.
- If the attacker uses package files (the maps for example) he can
easily execute code on the machine that launch the file, because
the bug used in package file allows the attacker to overwrite the
EIP register and upload all his code (no size limitations) in
memory.
4] Problems with Unreal URLs (unreal://...)
Unfortunally there are no patches at the moment because (as everyone can
understood) Epic Games after almost 3 months has not taken seriously these
problems and I am sorry for have waited too much time for release the
documents (Bugtraq timeout is less than a week and generally I wait maximum
1 month; 3 months are really too too much!)
BYEZ
---
PivX Security Researcher
http://www.pivx.com/luigi/
Apparently they have not had any responses back as far as acknowledging the vulnerability. :|