Clients format strings in the Unreal engine

2008.09.13
Credit: Luigi Auriemma
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

####################################################################### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com Versions: almost any game which uses the Unreal engine is affected by this vulnerability except some like Unreal Tournament 2004, Dead Man's Hand and possibly other old games Platforms: Windows, Linux, Mac Bug: format string Exploitation: remote, versus client Date: 11 Sep 2008 Author: Luigi Auriemma e-mail: aluigi_at_autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ####################################################################### ====== 2) Bug ====== The Unreal engine is affected by some format string vulnerabilities which can be exploited by a malicious server when the victim client connects to it. The main format string can be exploited through a malformed CLASS parameter of the DLMGR command but another one seems to be exploitable through the forcing of the download of a malformed package (PKG). Some older games instead can be exploited through a malformed LEVEL parameter of the WELCOME command. The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for building an error message to visualize to the user (for example for a missing class) using a max size of 4 kilobytes and, naturally, without passing the needed format argument. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/unrealts.zip http://aluigi.org/poc/unrealcfs.txt - unrealts 7777 unrealcfs.txt (or "unrealts -x 2 7777 unrealcfs.txt" for the Unreal 3 engine, use -x for others) - open the console of your client (~) and type: open 127.0.0.1:7777 ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org

References:

http://seclists.org/fulldisclosure/2008/Sep/0192.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top