| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: aluigi at altervista.org (Luigi Auriemma)
Subject: Arbitrary file overwriting in Unreal engine through UMOD
#######################################################################
Luigi Auriemma
Application: Unreal engine
http://unreal.epicgames.com
Versions: any game based on this engine that supports the UMOD
installation.
An example are Unreal Tournament <= 451b and Unreal
Tournament 2003 <= 2225.
A full list of vulnerable games is not available.
Platforms: Windows and MacOS (on Linux the UMODs are not officially
supported)
Bug: arbitrary file overwriting
Risk: medium as diffusion but critical as damage
Exploitation: local
Date: 22 Apr 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Unreal engine developed by EpicGames natively supports a file
format called UMOD used to easily install external add-ons:
"Umod: (aka Unreal MOD) Platform independent archives that allow mod
authors to ship their game content to unreal engine gamers"
#######################################################################
======
2) Bug
======
The UMOD file format is a simple archive that contains all the files to
install plus a manifest.ini file read by the UMOD installer and used to
know some informations as the author of the mod, the description, the
needed minimum game version and more.
Using the classical "..\" pattern in the filename and in its name into
the manifest.ini file an attacker is able to go outside the game's
directory and to overwrite ANY file in the partition on which the game
is installed, without alerts or messages from the installer.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/umodpoc.zip
However is also possible create a normal UMOD file using the specific
utilities commonly used to do it as UmodWizard, modifying a filename
and its name in the manifest.ini file using the "..\" pattern just as
"..\..\..\windows\notepad.exe" and then recalculating the checksum of
the package with the -C option of my UMOD extractor utility
http://aluigi.altervista.org/papers/umodext.zip.
#######################################################################
======
4) Fix
======
The bug has been signaled to EpicGames the 18 December 2003.
Unreal Tournament 2004 is the only game actually patched, in fact it
has been fixed before its pubblic release.
Unreal Tournament and Unreal Tournament 2003 are still vulnerable and
the patch is a mistery from 7 months.
I don't know if and how many other games are vulnerables.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists