SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Unreal Game Engine Vendors:   Epic Games
Unreal Game Engine Has Buffer Overflow in 'Secure' Query That May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010535
SecurityTracker URL:  http://securitytracker.com/id/1010535
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 18 2004
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Luigi Auriemma reported a vulnerability in the Unreal Game Engine, affecting a variety of games from Epic Games. A remote user may be able to execute arbitrary code on an affected system.

It is reported that a remote user can send a specially crafted "secure" query via UDP with a long query value to cause memory to be overwritten on the target system. A demonstration exploit value can be of the following format:

\secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaa

The following games and versions are reported to be affected [quoted]:

DeusEx <= 1.112fm
Devastation <= 390
Mobile Forces <= 20000
Nerf Arena Blast <= 1.2
Postal 2 <= 1337
Rune <= 107
Tactical Ops <= 3.4.0
TNN Pro Hunter (?)
Unreal 1 <= 226f
Unreal II XMP <= 7710
Unreal Tournament <= 451b
Unreal Tournament 2003 <= 2225
Unreal Tournament 2004 < 3236
Wheel of Time <= 333b
X-com Enforcer

The vendor has reportedly been notified.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/unsecure.zip

Impact:   A remote user may be able to execute arbitrary code on the target system or spoof messages within the application.
Solution:   No solution was available at the time of this entry for most of the affected games. However, the vendor has released a fix for UnrealTournament 2004 (build 3236).
Vendor URL:  unreal.epicgames.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Code execution in the Unreal Engine through \secure\ packet


#######################################################################

                              Luigi Auriemma

Application:  Unreal Engine
               http://unreal.epicgames.com
Vulnerable games:
               - DeusEx                   <= 1.112fm
               - Devastation              <= 390
               - Mobile Forces            <= 20000
               - Nerf Arena Blast         <= 1.2
               - Postal 2                 <= 1337
               - Rune                     <= 107
               - Tactical Ops             <= 3.4.0
               - TNN Pro Hunter (?)
               - Unreal 1                 <= 226f
               - Unreal II XMP            <= 7710
               - Unreal Tournament        <= 451b
               - Unreal Tournament 2003   <= 2225
               - Unreal Tournament 2004   <  3236
               - Wheel of Time            <= 333b
               - X-com Enforcer
NOT vulnerables:
               - America's Army
               - Dead man's hand
               - Magic Battlegrounds
               - Rainbow Six: Raven Shield
               - Splinter Cell: Pandora tomorrow
               - Star Trek: Klingon Honor Guard
               - Unreal Tournament 2004   >= 3236
               - XIII
Platforms:    Windows, Linux and MacOS
Bug:          memory overwriting with possible code execution
Risk:         critical
Exploitation: remote, versus servers
Date:         18 June 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the famous game engine developed by EpicGames and
currently is the most used in the videogames world.
Who doesn't know the great Unreal series???


#######################################################################

======
2) Bug
======


Almost all the games based on the Unreal engine support the "secure"
query.
This type of query is part of the so called Gamespy query protocol and
is used to know if the game server is able to calculate an exact
response using a provided string:
   http://unreal.epicgames.com/IpServer.htm
   http://aluigi.altervista.org/papers/gsmsalg.h

The query is a simple UDP packet like \secure\ABCDEF
If an attacker uses a long value in his secure query, in the Unreal
based game server will be overwritten some important memory zones.

Both remote code execution and spoofing are possibles.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/unsecure.zip

or send a similar UDP packet to the query port of the game server:

\secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaa


#######################################################################

======
4) Fix
======


The bug has been noticed to EpicGames over 3 weeks ago.
Currently only UnrealTournament 2004 has been fixed with the recent
3236 patch.
Check the homepages of the other vulnerable games for possible future
fixes.

However fixing the problem should be enough simple, at least for who
has experience with the UnrealScript language.
In fact the instructions that manage the \secure\ query and pass its
value to the bugged function are written in UnrealScript code and are
located in the files IpDrv.u or IpServerver.u (they depend by the used
engine version).


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC