Application: Unreal engine
http://www.unrealtechnology.com
Versions: almost any game which uses the Unreal engine is affected
by this vulnerability except some like Unreal Tournament
2004, Dead Man's Hand and possibly other old games
Platforms: Windows, Linux, Mac
Bug: format string
Exploitation: remote, versus client
Date: 11 Sep 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.
The Unreal engine is affected by some format string vulnerabilities
which can be exploited by a malicious server when the victim client
connects to it.
The main format string can be exploited through a malformed CLASS
parameter of the DLMGR command but another one seems to be exploitable
through the forcing of the download of a malformed package (PKG).
Some older games instead can be exploited through a malformed LEVEL
parameter of the WELCOME command.
The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for
building an error message to visualize to the user (for example for a
missing class) using a max size of 4 kilobytes and, naturally, without
passing the needed format argument.
- unrealts 7777 unrealcfs.txt
(or "unrealts -x 2 7777 unrealcfs.txt" for the Unreal 3 engine, use
-x for others)
- open the console of your client (~) and type: open 127.0.0.1:7777
#######################################################################
Luigi Auriemma
Application: Unreal engine
http://www.unrealtechnology.com
Versions: almost any game which uses the Unreal engine is affected
by this vulnerability except some like Unreal Tournament
2004, Dead Man's Hand and possibly other old games
Platforms: Windows, Linux, Mac
Bug: format string
Exploitation: remote, versus client
Date: 11 Sep 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.
#######################################################################
======
2) Bug
======
The Unreal engine is affected by some format string vulnerabilities
which can be exploited by a malicious server when the victim client
connects to it.
The main format string can be exploited through a malformed CLASS
parameter of the DLMGR command but another one seems to be exploitable
through the forcing of the download of a malformed package (PKG).
Some older games instead can be exploited through a malformed LEVEL
parameter of the WELCOME command.
The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for
building an error message to visualize to the user (for example for a
missing class) using a max size of 4 kilobytes and, naturally, without
passing the needed format argument.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/unrealts.zip
http://aluigi.org/poc/unrealcfs.txt
- unrealts 7777 unrealcfs.txt
(or "unrealts -x 2 7777 unrealcfs.txt" for the Unreal 3 engine, use
-x for others)
- open the console of your client (~) and type: open 127.0.0.1:7777
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
[ reply ]