lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080912003630.3dc65f9e.aluigi@autistici.org>
Date: Fri, 12 Sep 2008 00:36:30 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	packet@...ketstormsecurity.org, cert@...t.org
Subject: Server termination in the Unreal engine 3


#######################################################################

                             Luigi Auriemma

Application:  Unreal engine 3
              http://www.unrealtechnology.com
Versions:     the bug affects various games which use the Unreal engine
              3 like Unreal Tournament 3 1.3, Frontlines: Fuel of War
              1.1.1 and so on
              Turning Point: Fall of Liberty is NOT vulnerable
              note: the proof-of-concept used for testing this bug has
              caused also the termination of other older games like
              Star Wars Republic Commando, Pariah, Warpath and Shadow
              Ops (no additional checks have been performed on them)
Platforms:    Windows, Linux, Mac
Bug:          server termination caused by failed memory allocation
Exploitation: remote, versus server
Date:         11 Sep 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.


#######################################################################

======
2) Bug
======


The problem is located in the function which reads the strings from the
packet where is located a 32 bit number (was an index number in the
previous Unreal engine 1 and 2) which specifies the size in bytes of the
subsequent string to read.

This function removes the sign of the number if it's negative and then
tries to allocate an amount of memory double than this value because
the new buffer is used for containing the unicode version of the string.
Before copying the data is performed an additional check on the sign of
the value for avoiding integer overflows (for example using the value
0x80000000).

If an attacker uses a 32 bit number major than how much allocable on
the system (like 0x7fffffff) the engine terminates immediately showing
a log message like the following:

  Critical: Ran out of virtual memory. To prevent this condition, you
  must free up more space on your primary hard disk."

Turning Point: Fall of Liberty is another game which uses the Unreal
engine 3 but, differently to the others tested by me, the function
which allocates the memory doesn't shut down the entire game for
reporting the error but simply returns a NULL value (like a classical
malloc) which is correctly handled and so the game is not vulnerable.

The attack can be performed versus the server using one simple UDP
packet with the possibility of spoofing it.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ut3sticle.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ