Format string bug in EpicGames Unreal engine

2004-03-10T00:00:00
ID SECURITYVULNS:DOC:5884
Type securityvulns
Reporter Securityvulns
Modified 2004-03-10T00:00:00

Description

                         Luigi Auriemma

Application: Unreal engine http://unreal.epicgames.com Games: - America's Army - DeusEx - Devastation - Magic Battlegrounds - Mobile Forces - Nerf Arena Blast - Postal 2 - Rainbow Six: Raven Shield - Rune - Sephiroth: 3rd episode the Crusade - Star Trek: Klingon Honor Guard - Tactical Ops - TNN Pro Hunter - Unreal 1 - Unreal II XMP - Unreal Tournament - Unreal Tournament 2003 - Wheel of Time - X-com Enforcer - XIII (the list contains all the Unreal based games with multiplayer support released until now) Platforms: Windows, Linux and MacOS Bug: remote format string bug Risk: critical Exploitation: remote, versus server Date: 10 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

The Unreal engine is the famous game engine developed by EpicGames (http://www.epicgames.com) and used by a wide number of games.

====== 2) Bug ======

The problem is a format string bug in the Classes management. Each time a client connects to a server it sends the names of the objects it uses (called classes).

If an attacker uses a class name containing format parameters (as %n, %s and so on) he will be able to crash or also to execute malicious code on the remote server.

=========== 3) The Code ===========

http://aluigi.altervista.org/poc/unrfs-poc.zip

This proof-of-concept is a proxy server able to modify the Unreal packets in real-time allowing the insertion of "%n" into the class names sent by the client to the server causing the remote crash. It should be compatible with any game based on the Unreal engine and requires the same game running on the server to be used.

====== 4) Fix ======

This bug was signaled to EpicGames EXACTLY the 2th September 2003 (today is the 10th March so over 6 months ago) but at the beginning it was underrated and was taken a bit more seriously only at November.

All the developers of the vulnerable games have been alerted by EpicGames through their internal mailing-list.

About UT and UT2003: EpicGames refused to release a quick-fix for UnrealTournament and UnrealTournament 2003 so the fix was inserted in the planned patch as they do for graphic bugs and other small problems... the patch has not been released yet and is impossible to know when it will be ready.

QUICK FIXES ARE THE SOLUTION: SECURITY BUGS ARE NOT COMMON BUGS!!!


Luigi Auriemma http://aluigi.altervista.org