unreal-1.3-dirtrav.txt

2008-09-21T00:00:00
ID PACKETSTORM:70163
Type packetstorm
Reporter Luigi Auriemma
Modified 2008-09-21T00:00:00

Description

                                        
                                            `  
#######################################################################  
  
Luigi Auriemma  
  
Application: Unreal Tournament 3  
http://www.unrealtournament3.com  
Versions: 1.3 ONLY (both build 3601 and 3614)  
older versions are safe  
Platforms: Windows and Linux  
Bug: directory traversal in the web interface  
Exploitation: remote, versus server  
Date: 21 Sep 2008  
Author: Luigi Auriemma  
e-mail: aluigi@autistici.org  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
Unreal Tournament 3 (UT3) is the latest game of the famous homonim  
series developed by Epic Games (http://www.epicgames.com).  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
UT3, as any other game based on the Unreal engine, has an internal web  
server called uWeb for controlling the own server remotely using a web  
browser.  
This interface is disabled by default and in the case of UT3 are needed  
the additional files located on http://ut3webadmin.elmuerte.com (choice  
made by Epic for fixing possibly issues more quickly).  
  
In the last 1.3 patch released the 13th August 2008 has been made a bad  
and unusual modification to uWeb.  
In fact the WebAdmin component is composed by two sub components/classes  
called UTServerAdmin (used for everything) and UTImageServer used only  
for the handling of the HTTP requests for the files in the /images  
folder.  
  
In the script of the ImageServer component in version 1.3 has been made  
the following change which has removed the limitation of downloading  
only files with the extentions JPG, JPEG, GIF, BMP and PNG:  
  
ImageServer.uc of version 1.2:  
...  
else  
{  
Response.HTTPError(404);  
return;  
}  
Response.IncludeBinaryFile( Path $ Image );  
  
ImageServer.uc of version 1.3:  
...  
else  
{  
Response.SendStandardHeaders("application/octet-stream", true);  
}  
Response.IncludeBinaryFile( Path $ Image );  
  
Not a so dangerous thing except that the directory traversal which has  
EVER affected this part of the engine and which has never been possible  
to exploit due to the filters on the extensions of the requested files  
(an image can't be classified as "sensible" data moreover if there is  
no way to know the exact locations of these files) now allows any  
external unauthenticated attacker to download files from the system.  
  
In fact when a file is requested the engine first looks in the home  
folder of the user who has launched the UT3 server (for example  
"C:\Documents and Settings\Administrator\My Documents\My Games\Unreal  
Tournament 3") because the configuration files used by the server are  
located just there and then in the folder of the game, so having the  
server installed on another partition doesn't limit the problem.  
  
For example, it's enough to request the file  
"/images/../../UTGame/Config/UTGame.INI" to see all the configuration  
of the server which includes also the admin password to gain access to  
the same webadmin interface.  
In the example I have used the INI extension instead of ini because  
this particular extension seems filtered internally so it's enough to  
use one or more upper case chars in it to bypass the check while there  
are no strange behaviours for the other extensions or files.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
http://aluigi.org/poc/ut3webown.txt  
  
nc SERVER 80 -v -v < ut3webown.txt  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.org  
`