SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Unreal Game Engine Vendors:   Epic Games
Unreal Game Engine Format String Flaw May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009372
SecurityTracker URL:  http://securitytracker.com/id/1009372
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 10 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Luigi Auriemma reported a format string vulnerability in the Unreal game engine. A remote user can cause a game server to crash or execute arbitrary code.

It is reported that a remote user can send a specially crafted class name containing formatting parameters (e.g., %n, %s) to the target server to cause the game service to crash or potentially execute arbitrary code.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/unrfs-poc.zip

This vulnerability reportedly affects games that use the Unreal engine, including America's Army, DeusEx, Devastation, Magic Battlegrounds, Mobile Forces, Nerf Arena Blast, Postal 2, Rainbow Six: Raven Shield, Rune, Sephiroth: 3rd episode the Crusade, Star Trek: Klingon Honor Guard, Tactical Ops, TNN Pro Hunter, Unreal 1, Unreal II XMP, Unreal Tournament, Unreal Tournament 2003, Wheel of Time, X-com Enforcer, and XIII.

The vendor was reportedly notified on September 2, 2003. Developers of the affected games listed above has been notified.

Impact:   A remote user can cause the game service to crash. A remote user may be able to execute arbitrary code on the target server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  unreal.epicgames.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (macOS/OS X), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Format string bug in EpicGames Unreal engine


#######################################################################

                              Luigi Auriemma

Application:  Unreal engine
               http://unreal.epicgames.com
Games:        - America's Army
               - DeusEx
               - Devastation
               - Magic Battlegrounds
               - Mobile Forces
               - Nerf Arena Blast
               - Postal 2
               - Rainbow Six: Raven Shield
               - Rune
               - Sephiroth: 3rd episode the Crusade
               - Star Trek: Klingon Honor Guard
               - Tactical Ops
               - TNN Pro Hunter
               - Unreal 1
               - Unreal II XMP
               - Unreal Tournament
               - Unreal Tournament 2003
               - Wheel of Time
               - X-com Enforcer
               - XIII
               (the list contains all the Unreal based games with
               multiplayer support released until now)
Platforms:    Windows, Linux and MacOS
Bug:          remote format string bug
Risk:         critical
Exploitation: remote, versus server
Date:         10 Mar 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the famous game engine developed by EpicGames
(http://www.epicgames.com) and used by a wide number of games.


#######################################################################

======
2) Bug
======


The problem is a format string bug in the Classes management.
Each time a client connects to a server it sends the names of the
objects it uses (called classes).

If an attacker uses a class name containing format parameters (as %n,
%s and so on) he will be able to crash or also to execute malicious
code on the remote server.


#######################################################################

===========
3) The Code
===========


   http://aluigi.altervista.org/poc/unrfs-poc.zip

This proof-of-concept is a proxy server able to modify the Unreal
packets in real-time allowing the insertion of "%n" into the class
names sent by the client to the server causing the remote crash.
It should be compatible with any game based on the Unreal engine and
requires the same game running on the server to be used.


#######################################################################

======
4) Fix
======


This bug was signaled to EpicGames EXACTLY the 2th September 2003
(today is the 10th March so over 6 months ago) but at the beginning it
was underrated and was taken a bit more seriously only at November.

All the developers of the vulnerable games have been alerted by
EpicGames through their internal mailing-list.


About UT and UT2003:
EpicGames refused to release a quick-fix for UnrealTournament and
UnrealTournament 2003 so the fix was inserted in the planned patch
as they do for graphic bugs and other small problems... the patch has
not been released yet and is impossible to know when it will be ready.


QUICK FIXES ARE THE SOLUTION: SECURITY BUGS ARE *NOT* COMMON BUGS!!!


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC