Relic2K Posted May 13, 2003 Report Share Posted May 13, 2003 I have written an exploit about another effect of the "Negative sign bug" I discovered some months ago in the Unreal engine (http://www.pivx.com/luigi/adv/ueng-adv.txt). The vulnerable softwares are ONLY the clients of the retail UnrealTournament 2003 v2199 and the demo v2206. The patch v2225 fixes the problem in the retail game. NOTE that the link to the v2225 patch for Linux has not yet inserted on the official homepage of the game http://www.unrealtournament2003.com but it exist and you can download directly from the following URL or from any other mirror: http://unreal.epicgames.com/linux/ut2003/u...tch2225.tar.bz2 Instead for the demo v2206 you must download the fixed IpDrv file from here: Win: http://unreal.epicgames.com/files/UT2003De...dowsUpdate1.zip Linux: http://unreal.epicgames.com/files/IpDrv.so.bz2 The exploit simulates an Unreal Tournament 2003 server that accepts connections to the information port (default 10777) and when a client connects to it, the server will send a formatted UDP packet that contains a negative index number that consumes a customized quantity of memory on the remote client and can crash it if this quantity cannot be allocated (for more informations about this type of bug read my old ueng-adv.txt advisory). The exploit can be compiled on both Windows and Unix systems: http://www.pivx.com/luigi/poc/ut2003pdos.zip The best solution for an attacker to maliciously use the exploit is in coupling with a heartbeat emulator that lets your IP address to be added to the official online game servers list of Epic (http://ut2003master.epicgames.com/serverlist/full-all.txt). I have written an example code that makes the work and can be easily customized: http://www.pivx.com/luigi/testz/ut2003ms.zip NOTE: for using the exploit in coupling with the heartbeat emulator you need to specify 7778 as default listening port. BYEZ --- PivX Bug Researcher http://www.pivx.com/luigi/ Quote Link to comment Share on other sites More sharing options...
Guest fubar::chi Posted May 15, 2003 Report Share Posted May 15, 2003 WHY would you post that here. There an exploit for ut out. great, i didn't know and you told us this. There is an update for the retail version not on the official site yet. Even greater that you posted this. Now why on earth would you post the exploit and give info on how to use it here. What possible good can this do? i think you should remove that part of your post. this isn't some warez site y'know. Quote Link to comment Share on other sites More sharing options...
Cannonfodder Posted May 15, 2003 Report Share Posted May 15, 2003 Not to play devil's advocate, I find it interesting to read about. We also have Aru's auto posting of Mandrake security. Never thought of an exploit that simulates a server for a heavily used internet game. I'm not ver heavy on security but still like the different insights I get.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.