lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040311135639.3022.qmail@www.securityfocus.com>
Date: 11 Mar 2004 13:56:39 -0000
From: Sebastian "Käppler" <sebastiankaeppler@....de>
To: bugtraq@...urityfocus.com
Subject: Re: Format string bug in EpicGames Unreal engine


In-Reply-To: <20040310163053.6db31644.aluigi@...ervista.org>

It seems that all servers running the MOD "TacticalOps" for UT1 are not affected by the vulnerability. I ran a local test server and got the following output:

"PreLogin failure: Player Class: %n%n%n.s_Player_T is not valid! - reinstall Tact
ical Ops properly. (NEEDPW)"

it seems that the UT engine calls the "PreLogin" function of the currently active GameInfo class (which is written in UnrealScript) before processing the string.

TacticalOps code:

event PreLogin (string Options, string Address, out string Error, out string FailCode)
{
	local string Value;

	Super.PreLogin(Options,Address,Error,FailCode);
	Value=ParseOption(Options,"Class");
	if (  !Value ~= "s_SWAT.s_Player_T" )
	{
		Error="Player Class:" @ Value @ "is not valid! - reinstall Tactical Ops properly.";
		return;
	}
}

So basicially only a new GameInfo class writtin in UnrealScript containing the following should stop the crash problem:

event PreLogin (string Options, string Address, out string Error, out string FailCode)
{
    Super.PreLogin(Options,Address,Error,FailCode);
    if(InStr(ParseOption(Options,"Class"),"%")
        Error = "Crash exploit";
}





>Application:  Unreal engine
>              http://unreal.epicgames.com
>Games:        - America's Army
>              - DeusEx
>              - Devastation
>              - Magic Battlegrounds
>              - Mobile Forces
>              - Nerf Arena Blast
>              - Postal 2
>              - Rainbow Six: Raven Shield
>              - Rune
>              - Sephiroth: 3rd episode the Crusade
>              - Star Trek: Klingon Honor Guard
>              - Tactical Ops
>              - TNN Pro Hunter
>              - Unreal 1
>              - Unreal II XMP
>              - Unreal Tournament
>              - Unreal Tournament 2003
>              - Wheel of Time
>              - X-com Enforcer
>              - XIII
>              (the list contains all the Unreal based games with
>              multiplayer support released until now)
>Platforms:    Windows, Linux and MacOS
>Bug:          remote format string bug
>Risk:         critical
>Exploitation: remote, versus server
>Date:         10 Mar 2004
>Author:       Luigi Auriemma
>              e-mail: aluigi@...ervista.org
>              web:    http://aluigi.altervista.org
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ