Relic2K Posted February 5, 2003 Report Share Posted February 5, 2003 :shock: The reason why I am posting this, is because of how many games that are impacted by this vulnerability in the Unreal Engine. I got this from BUGTRAQ today, and I wanted to make everyone aware of it. List-Help: <mailto:bugtraq-help@securityfocus.com>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 32559 invoked from network); 5 Feb 2003 11:57:25 -0000 Date: Wed, 5 Feb 2003 12:58:07 +0000 From: Auriemma Luigi <aluigi@pivx.com> To: bugtraq@securityfocus.com Subject: Unreal engine: results of my research Message-Id: <20030205125807.757ecbc8.aluigi@pivx.com> Organization: PivX Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Status: R X-Status: N After almost 3 months, I have finally decided to release the huge advisory/paper about bugs founded in the Unreal engine and all the relative code for the vulnerabilities exploitation (plus some tools that I have written during the reversing of the engine). The link for get the english advisory is: http://www.pivx.com/luigi/adv/ueng-adv.txt And this is the link for the italian version: http://www.pivx.com/luigi/adv/ueng-adv-ita.txt The games interested by the vulnerabilities are really a lot and the following is a list of games based on Unreal engine and that have implemented its network engine: - Star Trek: The Next Generation: Klingon Honor Guard - Unreal - The Wheel of Time - Deus Ex - Mobile Forces - Rune - Unreal Tournament - Hired Guns - Navy Seals - TNN Outdoor Pro Hunter - Werewolf - X-Com: Alliance - Adventure Pinball - America's Army - Unreal Tournament 2003 - future games (if the developers will not use a fixed Unreal engine) like DeusEx2, Duke Nukem Forever, Postal 2, Thief III and XIII just for example The following is a very quick list of the bugs I have found: 1] Unreal engine doesn't have an handshake between client and server, so an attacker can create DoS, DDoS and bounce attacks with spoofed UDP packets. 2] Unreal engine uses challenge keys to identify each match but, I don't know why, seems that the server doesn't really manage the keys in the client's answers and furthermore it doesn't make other checks to avoid an attacker easily adding faked players to the server. 3] The Unreal engine has problems managing negative long numbers (used for specify the size of data). - If an attacker use negative numbers in network packets, the Unreal server will allocate an amount of RAM that is equal to the number without the sign or crash if the amount of bytes is greater than the available memory. - If the attacker uses package files (the maps for example) he can easily execute code on the machine that launch the file, because the bug used in package file allows the attacker to overwrite the EIP register and upload all his code (no size limitations) in memory. 4] Problems with Unreal URLs (unreal://...) Unfortunally there are no patches at the moment because (as everyone can understood) Epic Games after almost 3 months has not taken seriously these problems and I am sorry for have waited too much time for release the documents (Bugtraq timeout is less than a week and generally I wait maximum 1 month; 3 months are really too too much!) BYEZ --- PivX Security Researcher http://www.pivx.com/luigi/ Apparently they have not had any responses back as far as acknowledging the vulnerability. :| Quote Link to comment Share on other sites More sharing options...
Guest JaseP Posted February 6, 2003 Report Share Posted February 6, 2003 Does this vulnerability attack the Linux version of Unreal Tournament 2003 and to what extent is the vulnerability prevalent in the Windoze versions while running under WineX??? Quote Link to comment Share on other sites More sharing options...
Relic2K Posted February 6, 2003 Author Report Share Posted February 6, 2003 From what is reads, it is a flaw in the Unreal Engine itself, so it should effect all versions regardless of which OS it is running on. It seems to be a denial of service via network attack. This is not the first time that an advisory was released on some of those games. Hopefully they will acknowledge it, and release a patch to fix the bug. Quote Link to comment Share on other sites More sharing options...
DOlson Posted February 6, 2003 Report Share Posted February 6, 2003 They did release a fix for UT/Linux, or someone did, but I'm not sure where it is at this present time. I really don't care. I rarely play those games online, and the vast majority don't run on Linux anyhow. I don't know about UT2003 though, but it makes sense that if they fixed it for UT, they oughtta have fixed it for UT2003... Why don't we email them about it? Actually, they've probably got their attention on it now, since it got posted to Bugtraq. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.