Memory corruption and NULL pointer in Unreal Tournament III 1.2

2008.07.30
Credit: Luigi Auriemma
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

####################################################################### Luigi Auriemma Application: Unreal Tournament III http://www.unrealtournament3.com Versions: <= 1.2 and 1.3beta4 Platforms: Windows (tested), Linux, PS3 and Xbox360 Bugs: A] memory corruption B] NULL pointer Exploitation: remote, versus server Date: 30 Jul 2008 Author: Luigi Auriemma e-mail: aluigi_at_autistici&#46;org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Unreal Tournament III is the latest game (2007) of the Unreal series created by Epic Games (http://www.epicgames.com). ####################################################################### ======= 2) Bugs ======= -------------------- A] memory corruption -------------------- UT3 is affected by a problem in the handling of a specific type of packet. In this particular type of packet there is a 16 bit field which specifies the size of the data that follows and if this string is longer than about 172 bytes a memory corruption will occur allowing an attacker to control various registers which could allow the execution of malicious code. --------------- B] NULL pointer --------------- If the amount of data about I talked previously is bigger than the total size of the packet the string will not be read and a NULL pointer exception will occur. This type of bug is easily recognizable on the server because the message "Error: Attempted to multiply free a voice packet" is displayed before the crash when the malformed packet is received. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ut3mendo.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org

References:

http://seclists.org/fulldisclosure/2008/Jul/0535.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top