[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Format string bug in EpicGames Unreal engine
From:       Sebastian "Käppler" <sebastiankaeppler () web ! de>
Date:       2004-03-11 13:56:39
Message-ID: 20040311135639.3022.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <20040310163053.6db31644.aluigi@altervista.org>

It seems that all servers running the MOD "TacticalOps" for UT1 are not affected by \
the vulnerability. I ran a local test server and got the following output:

"PreLogin failure: Player Class: %n%n%n.s_Player_T is not valid! - reinstall Tact
ical Ops properly. (NEEDPW)"

it seems that the UT engine calls the "PreLogin" function of the currently active \
GameInfo class (which is written in UnrealScript) before processing the string.

TacticalOps code:

event PreLogin (string Options, string Address, out string Error, out string \
FailCode) {
	local string Value;

	Super.PreLogin(Options,Address,Error,FailCode);
	Value=ParseOption(Options,"Class");
	if (  !Value ~= "s_SWAT.s_Player_T" )
	{
		Error="Player Class:" @ Value @ "is not valid! - reinstall Tactical Ops properly.";
		return;
	}
}

So basicially only a new GameInfo class writtin in UnrealScript containing the \
following should stop the crash problem:

event PreLogin (string Options, string Address, out string Error, out string \
FailCode) {
    Super.PreLogin(Options,Address,Error,FailCode);
    if(InStr(ParseOption(Options,"Class"),"%")
        Error = "Crash exploit";
}





> Application:  Unreal engine
> http://unreal.epicgames.com
> Games:        - America's Army
> - DeusEx
> - Devastation
> - Magic Battlegrounds
> - Mobile Forces
> - Nerf Arena Blast
> - Postal 2
> - Rainbow Six: Raven Shield
> - Rune
> - Sephiroth: 3rd episode the Crusade
> - Star Trek: Klingon Honor Guard
> - Tactical Ops
> - TNN Pro Hunter
> - Unreal 1
> - Unreal II XMP
> - Unreal Tournament
> - Unreal Tournament 2003
> - Wheel of Time
> - X-com Enforcer
> - XIII
> (the list contains all the Unreal based games with
> multiplayer support released until now)
> Platforms:    Windows, Linux and MacOS
> Bug:          remote format string bug
> Risk:         critical
> Exploitation: remote, versus server
> Date:         10 Mar 2004
> Author:       Luigi Auriemma
> e-mail: aluigi@altervista.org
> web:    http://aluigi.altervista.org
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic