[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080912003630.3dc65f9e.aluigi@autistici.org>
Date: Fri, 12 Sep 2008 00:36:30 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
packet@...ketstormsecurity.org, cert@...t.org
Subject: Server termination in the Unreal engine 3
#######################################################################
Luigi Auriemma
Application: Unreal engine 3
http://www.unrealtechnology.com
Versions: the bug affects various games which use the Unreal engine
3 like Unreal Tournament 3 1.3, Frontlines: Fuel of War
1.1.1 and so on
Turning Point: Fall of Liberty is NOT vulnerable
note: the proof-of-concept used for testing this bug has
caused also the termination of other older games like
Star Wars Republic Commando, Pariah, Warpath and Shadow
Ops (no additional checks have been performed on them)
Platforms: Windows, Linux, Mac
Bug: server termination caused by failed memory allocation
Exploitation: remote, versus server
Date: 11 Sep 2008
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.
#######################################################################
======
2) Bug
======
The problem is located in the function which reads the strings from the
packet where is located a 32 bit number (was an index number in the
previous Unreal engine 1 and 2) which specifies the size in bytes of the
subsequent string to read.
This function removes the sign of the number if it's negative and then
tries to allocate an amount of memory double than this value because
the new buffer is used for containing the unicode version of the string.
Before copying the data is performed an additional check on the sign of
the value for avoiding integer overflows (for example using the value
0x80000000).
If an attacker uses a 32 bit number major than how much allocable on
the system (like 0x7fffffff) the engine terminates immediately showing
a log message like the following:
Critical: Ran out of virtual memory. To prevent this condition, you
must free up more space on your primary hard disk."
Turning Point: Fall of Liberty is another game which uses the Unreal
engine 3 but, differently to the others tested by me, the function
which allocates the memory doesn't shut down the entire game for
reporting the error but simply returns a NULL value (like a classical
malloc) which is correctly handled and so the game is not vulnerable.
The attack can be performed versus the server using one simple UDP
packet with the possibility of spoofing it.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/ut3sticle.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Powered by blists - more mailing lists