lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080921193502.f763b211.aluigi@autistici.org>
Date: Sun, 21 Sep 2008 19:35:02 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	packet@...ketstormsecurity.org, cert@...t.org
Subject: Directory traversal in the webadmin of Unreal
	Tournament 3 1.3


#######################################################################

                             Luigi Auriemma

Application:  Unreal Tournament 3
              http://www.unrealtournament3.com
Versions:     1.3 ONLY (both build 3601 and 3614)
              older versions are safe
Platforms:    Windows and Linux
Bug:          directory traversal in the web interface
Exploitation: remote, versus server
Date:         21 Sep 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Unreal Tournament 3 (UT3) is the latest game of the famous homonim
series developed by Epic Games (http://www.epicgames.com).


#######################################################################

======
2) Bug
======


UT3, as any other game based on the Unreal engine, has an internal web
server called uWeb for controlling the own server remotely using a web
browser.
This interface is disabled by default and in the case of UT3 are needed
the additional files located on http://ut3webadmin.elmuerte.com (choice
made by Epic for fixing possibly issues more quickly).

In the last 1.3 patch released the 13th August 2008 has been made a bad
and unusual modification to uWeb.
In fact the WebAdmin component is composed by two sub components/classes
called UTServerAdmin (used for everything) and UTImageServer used only
for the handling of the HTTP requests for the files in the /images
folder.

In the script of the ImageServer component in version 1.3 has been made
the following change which has removed the limitation of downloading
only files with the extentions JPG, JPEG, GIF, BMP and PNG:

ImageServer.uc of version 1.2:
    ...
    else
    {
        Response.HTTPError(404);
        return;
    }
    Response.IncludeBinaryFile( Path $ Image );

ImageServer.uc of version 1.3:
    ...
    else
    {
        Response.SendStandardHeaders("application/octet-stream", true);
    }
    Response.IncludeBinaryFile( Path $ Image );

Not a so dangerous thing except that the directory traversal which has
EVER affected this part of the engine and which has never been possible
to exploit due to the filters on the extensions of the requested files
(an image can't be classified as "sensible" data moreover if there is
no way to know the exact locations of these files) now allows any
external unauthenticated attacker to download files from the system.

In fact when a file is requested the engine first looks in the home
folder of the user who has launched the UT3 server (for example
"C:\Documents and Settings\Administrator\My Documents\My Games\Unreal
Tournament 3") because the configuration files used by the server are
located just there and then in the folder of the game, so having the
server installed on another partition doesn't limit the problem.

For example, it's enough to request the file
"/images/../../UTGame/Config/UTGame.INI" to see all the configuration
of the server which includes also the admin password to gain access to
the same webadmin interface.
In the example I have used the INI extension instead of ini because
this particular extension seems filtered internally so it's enough to
use one or more upper case chars in it to bypass the check while there
are no strange behaviours for the other extensions or files.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ut3webown.txt

  nc SERVER 80 -v -v < ut3webown.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ