lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: aluigi at altervista.org (Luigi Auriemma)
Subject: Arbitrary file overwriting in Unreal engine through UMOD

#######################################################################

                             Luigi Auriemma

Application:  Unreal engine
              http://unreal.epicgames.com
Versions:     any game based on this engine that supports the UMOD
              installation.
              An example are Unreal Tournament <= 451b and Unreal
              Tournament 2003 <= 2225.
              A full list of vulnerable games is not available.
Platforms:    Windows and MacOS (on Linux the UMODs are not officially
              supported)
Bug:          arbitrary file overwriting
Risk:         medium as diffusion but critical as damage
Exploitation: local
Date:         22 Apr 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine developed by EpicGames natively supports a file
format called UMOD used to easily install external add-ons:

"Umod: (aka Unreal MOD) Platform independent archives that allow mod
       authors to ship their game content to unreal engine gamers"


#######################################################################

======
2) Bug
======


The UMOD file format is a simple archive that contains all the files to
install plus a manifest.ini file read by the UMOD installer and used to
know some informations as the author of the mod, the description, the
needed minimum game version and more.

Using the classical "..\" pattern in the filename and in its name into
the manifest.ini file an attacker is able to go outside the game's
directory and to overwrite ANY file in the partition on which the game
is installed, without alerts or messages from the installer.


#######################################################################

===========
3) The Code
===========


  http://aluigi.altervista.org/poc/umodpoc.zip


However is also possible create a normal UMOD file using the specific
utilities commonly used to do it as UmodWizard, modifying a filename
and its name in the manifest.ini file using the "..\" pattern just as
"..\..\..\windows\notepad.exe" and then recalculating the checksum of
the package with the -C option of my UMOD extractor utility
http://aluigi.altervista.org/papers/umodext.zip.


#######################################################################

======
4) Fix
======


The bug has been signaled to EpicGames the 18 December 2003.

Unreal Tournament 2004 is the only game actually patched, in fact it
has been fixed before its pubblic release.

Unreal Tournament and Unreal Tournament 2003 are still vulnerable and
the patch is a mistery from 7 months.

I don't know if and how many other games are vulnerables.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists