Unexploitable buffer-overflow in the logging function of the Unreal engine Aug 18 2007 10:04PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: Unreal engine
http://www.unrealtechnology.com
http://www.epicgames.com
Versions: this engine is used in many games like Unreal Tournament
2003 and 2004 (both vulnerables) and I have not tested
them all although I'm enough sure that almost all are
vulnerables
Platforms: Windows, Linux and Mac
Bugs: A] unexploitable buffer-overflow in the logging function
B] web admin hell bell on Windows dedicated servers
Exploitation: A] remote versus server
B] remote versus Windows dedicated server only
Date: 18 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

The Unreal engine is a game engine developed by EpicGames
(http://www.epicgames.com) used in many famous commercial games of
which the main example is the just lucky Unreal Tournament series.

#######################################################################

=======
2) Bugs
=======

--------------------------------------------------------
A] unexploitable buffer-overflow in the logging function
--------------------------------------------------------

The logging function used in the Unreal engine (and which seems not
possible to disable) is vulnerable to a buffer-overflow bug.
The message passed to this function is used with appSprintf() for
building the following unicode string using an output buffer of 1024
unicode chars:

appSprintf(unicode_buffer, "%s: %s%s", "Log", message, "\r\n");

the appSprintf function works exactly as snprintf truncating the buffer
automatically at 1024 unicode chars without adding the final NULL byte
at the end if this limit is reached.
Then the unicode_buffer is converted in an ascii string using a set of
instructions similar to the following:

for(i = 0; (cx = unicode_buffer[i]); i++) {
if(cx >= 256) cx = 0x7f;
ascii_buffer[i] = cx;
}

the instructions are enough corrects but unfortunately the destination
ascii buffer is located in the stack just after the unicode_buffer and
as already said this one is not delimited if the 1024 chars limit is
reached.
The result is that after 1024 unicode chars the instructions will start
to get the unicode chars located in the output ascii buffer.
The input chars are unicode chars (16 bit) and so those in the ascii
buffer are ever major than the 256 number (0x0100) forcing the
instructions to continue to put 0x7f chars until a NULL byte is finally
reached... and in the meantime the return address has been completely
overwritten by 0x7f7f7f7f.

During my tests only UnrealTournament (version 451b) wasn't vulnerable
because its appSprintf delimits the destination unicode buffer.

How to exploit this vulnerability?

For the moment I have found only the Unreal web server as way for
exploiting this Denial of Service since it allows the sending and
moreover the visualization of more than 1024 chars, but other better
ways could exist.

The internal web server built in the Unreal engine is a service useful
for managing the own game server remotely through a web browser.
This server is NOT enabled by default and works on port 80 if the admin
doesn't change it.
The files pointed by the server are those contained in the Web folder
inside the game directory and /images is the only one which doesn't
require authorization, and is also the one needed to exploit this bug.

---------------------------------------------------
B] web admin hell bell on Windows dedicated servers
---------------------------------------------------

This type of Denial of Service could seem something like a joke but it
works terribly well.
The non-graphical dedicated server of the Unreal engine (UCC) works in
console and in some specific occasions it displays some of the data
sent by the clients.

The main idea behind this bug is forcing the server to visualize some
invalid chars like the bell (0x07) for freezing partially the system
and moreover the online game since the Windows console will start to
beep without a break.
In these cases the only way to stop the attack is killing the process
and its console.

The only good way I have found for exploiting this problem on the
Unreal engine with a big amount of chars is through the web admin port
since the invalid chars like 0x07 are not filtered.
Some ways for exploiting the problem are requests to the /images
folder, the Content-Type field using POST, any HEAD query and so on.

This bug can be exploited only versus the UCC Windows dedicated server,
since the in-game dedicated server has its own graphical interface and
on Linux and other operating systems there is no system freeze caused
by the bell... and sincerely I have never understood why the Windows
console has a so stupid problem.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/unrwebdos.zip

#######################################################################

======
4) Fix
======

No fix.
No reply received from the developers.

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus