Unreal Engine Secure Query Overflow

2004-06-18T20:05:00
ID OSVDB:7217
Type osvdb
Reporter Luigi Auriemma(aluigi@altervista.org)
Modified 2004-06-18T20:05:00

Description

Vulnerability Description

The Unreal Engine contains a flaw that may be exploited by a malicious user to cause a buffer overflow. The issue is triggered when a remote attacker sends an excessively long value to a game server via the GameSpy 'secure' query protocol. It is possible that the flaw may allow remote code execution or denial of service.

Technical Description

The Unreal Engine is used by multiple games. This vulnerability was published as affecting games of less than or equal to current patch versions across multiple platforms. Given both these facts, and the fact that individual titles could not verified independently by OSVDB, individual products were not listed with this entry.

The list of affected games from the original vulnerability report:

          - DeusEx                
          - Devastation           
          - Mobile Forces         
          - Nerf Arena Blast      
          - Postal 2              
          - Rune                  
          - Tactical Ops          
          - TNN Pro Hunter (?)
          - Unreal 1              
          - Unreal II XMP         
          - Unreal Tournament     
          - Unreal Tournament 2003
          - Unreal Tournament 2004
          - Wheel of Time         
          - X-com Enforcer

The list of unaffected games from the original vulnerability report:

          - America's Army
          - Dead man's hand
          - Magic Battlegrounds
          - Rainbow Six: Raven Shield
          - Splinter Cell: Pandora tomorrow
          - Star Trek: Klingon Honor Guard
          - Unreal Tournament 2004   >= 3236
          - XIII

Please realize that more (or less) game products may or may not be affected.

Solution Description

Upgrade to UnrealTournament 2004 version 3236 or higher, as it has been reported to fix this vulnerability. There are no other upgrades or patches known to fix the vulnerability at this time.

It may be possible to correct the flaw or prevent exploitation by implementing one or more workaround(s). Links are provided as Other Solution URL's in the external references section.

Short Description

The Unreal Engine contains a flaw that may be exploited by a malicious user to cause a buffer overflow. The issue is triggered when a remote attacker sends an excessively long value to a game server via the GameSpy 'secure' query protocol. It is possible that the flaw may allow remote code execution or denial of service.

References:

Vendor Specific Advisory URL Security Tracker: 1010535 Secunia Advisory ID:11900 Secunia Advisory ID:12091 Packet Storm: http://packetstormsecurity.org/0406-exploits/unsecure.zip Packet Storm: http://packetstormsecurity.org/0406-advisories/unrealCodeExec.txt Other Solution URL: http://aluigi.altervista.org/adv/unsecure-adv.txt Other Solution URL: http://isc.sans.org/diary.php?date=2004-06-22 Other Solution URL: http://archives.neohapsis.com/archives/bugtraq/2004-06/0375.html Other Solution URL: http://www.gdries.com/IpServer.u Other Advisory URL: http://aluigi.altervista.org/adv/unsecure-adv.txt Other Advisory URL: http://www.securiteam.com/windowsntfocus/5BP0P0AD5W.html Keyword: UDP port 7777 Keyword: UDP port 7787 Keyword: epic ISS X-Force ID: 16451 CVE-2004-0608 Bugtraq ID: 10570