Clients format strings in the Unreal engine Sep 11 2008 11:36PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: Unreal engine
http://www.unrealtechnology.com
Versions: almost any game which uses the Unreal engine is affected
by this vulnerability except some like Unreal Tournament
2004, Dead Man's Hand and possibly other old games
Platforms: Windows, Linux, Mac
Bug: format string
Exploitation: remote, versus client
Date: 11 Sep 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.

#######################################################################

======
2) Bug
======

The Unreal engine is affected by some format string vulnerabilities
which can be exploited by a malicious server when the victim client
connects to it.

The main format string can be exploited through a malformed CLASS
parameter of the DLMGR command but another one seems to be exploitable
through the forcing of the download of a malformed package (PKG).
Some older games instead can be exploited through a malformed LEVEL
parameter of the WELCOME command.

The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for
building an error message to visualize to the user (for example for a
missing class) using a max size of 4 kilobytes and, naturally, without
passing the needed format argument.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/testz/unrealts.zip
http://aluigi.org/poc/unrealcfs.txt

- unrealts 7777 unrealcfs.txt
(or "unrealts -x 2 7777 unrealcfs.txt" for the Unreal 3 engine, use
-x for others)
- open the console of your client (~) and type: open 127.0.0.1:7777

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus