[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Format string bug in EpicGames Unreal engine
From: Sebastian "Käppler" <sebastiankaeppler () web ! de>
Date: 2004-03-11 13:56:39
Message-ID: 20040311135639.3022.qmail () www ! securityfocus ! com
[Download RAW message or body]
In-Reply-To: <20040310163053.6db31644.aluigi@altervista.org>
It seems that all servers running the MOD "TacticalOps" for UT1 are not affected by \
the vulnerability. I ran a local test server and got the following output:
"PreLogin failure: Player Class: %n%n%n.s_Player_T is not valid! - reinstall Tact
ical Ops properly. (NEEDPW)"
it seems that the UT engine calls the "PreLogin" function of the currently active \
GameInfo class (which is written in UnrealScript) before processing the string.
TacticalOps code:
event PreLogin (string Options, string Address, out string Error, out string \
FailCode) {
local string Value;
Super.PreLogin(Options,Address,Error,FailCode);
Value=ParseOption(Options,"Class");
if ( !Value ~= "s_SWAT.s_Player_T" )
{
Error="Player Class:" @ Value @ "is not valid! - reinstall Tactical Ops properly.";
return;
}
}
So basicially only a new GameInfo class writtin in UnrealScript containing the \
following should stop the crash problem:
event PreLogin (string Options, string Address, out string Error, out string \
FailCode) {
Super.PreLogin(Options,Address,Error,FailCode);
if(InStr(ParseOption(Options,"Class"),"%")
Error = "Crash exploit";
}
> Application: Unreal engine
> http://unreal.epicgames.com
> Games: - America's Army
> - DeusEx
> - Devastation
> - Magic Battlegrounds
> - Mobile Forces
> - Nerf Arena Blast
> - Postal 2
> - Rainbow Six: Raven Shield
> - Rune
> - Sephiroth: 3rd episode the Crusade
> - Star Trek: Klingon Honor Guard
> - Tactical Ops
> - TNN Pro Hunter
> - Unreal 1
> - Unreal II XMP
> - Unreal Tournament
> - Unreal Tournament 2003
> - Wheel of Time
> - X-com Enforcer
> - XIII
> (the list contains all the Unreal based games with
> multiplayer support released until now)
> Platforms: Windows, Linux and MacOS
> Bug: remote format string bug
> Risk: critical
> Exploitation: remote, versus server
> Date: 10 Mar 2004
> Author: Luigi Auriemma
> e-mail: aluigi@altervista.org
> web: http://aluigi.altervista.org
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic