lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jul 2008 00:37:27 +0100 From: Luigi Auriemma <aluigi@...istici.org> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, packet@...ketstormsecurity.org, cert@...t.org, news@...uriteam.com Subject: Memory corruption and NULL pointer in Unreal Tournament III 1.2 ####################################################################### Luigi Auriemma Application: Unreal Tournament III http://www.unrealtournament3.com Versions: <= 1.2 and 1.3beta4 Platforms: Windows (tested), Linux, PS3 and Xbox360 Bugs: A] memory corruption B] NULL pointer Exploitation: remote, versus server Date: 30 Jul 2008 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Unreal Tournament III is the latest game (2007) of the Unreal series created by Epic Games (http://www.epicgames.com). ####################################################################### ======= 2) Bugs ======= -------------------- A] memory corruption -------------------- UT3 is affected by a problem in the handling of a specific type of packet. In this particular type of packet there is a 16 bit field which specifies the size of the data that follows and if this string is longer than about 172 bytes a memory corruption will occur allowing an attacker to control various registers which could allow the execution of malicious code. --------------- B] NULL pointer --------------- If the amount of data about I talked previously is bigger than the total size of the packet the string will not be read and a NULL pointer exception will occur. This type of bug is easily recognizable on the server because the message "Error: Attempted to multiply free a voice packet" is displayed before the crash when the malformed packet is received. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ut3mendo.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org
Powered by blists - more mailing lists