Unreal Tournament 3 2.1 - 'STEAMBLOB' Command Remote Denial of Service Vulnerability

2010-07-20T00:00:00
ID EDB-ID:14414
Type exploitdb
Reporter Luigi Auriemma
Modified 2010-07-20T00:00:00

Description

Unreal Tournament 3 2.1 - 'STEAMBLOB' Command Remote Denial of Service Vulnerability. Dos exploit for windows platform

                                        
                                            #Original Advisory: http://aluigi.org/adv/ut3steamer-adv.txt
#
#######################################################################

                             Luigi Auriemma

Application:  Unreal Tournament III
              http://www.unrealtournament3.com
Versions:     <= 2.1 (aka 3809)
Platforms:    Windows (tested) and Linux
Bug:          unitialized pointer
Exploitation: remote, versus server
Date:         17 Jul 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Unreal Tournament III is currently the latest game (2007) of the Unreal
series created by Epic Games (http://www.epicgames.com).


#######################################################################

======
2) Bug
======


The game implements a particular command called STEAMBLOB which is
handled in any case even if Steam is not running.

This command accepts three arguments that are C, N and B and just this
last one (doesn't matter what value it has) is the cause of a problem
during the handling of some pointers that are left unitialized.
The effect is the crash of the whole server due to the access to
invalid memory or a NULL pointer.

It's enough only one UDP packet to exploit the vulnerability so there
are no limitations.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/fakep/unrealfp.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14414.zip (unrealfp.zip)

  unrealfp -x 2 -c "STEAMBLOB B=" SERVER PORT


#######################################################################

======
4) Fix
======


No fix.


#######################################################################