####################################################################### Luigi Auriemma Application: Unreal Engine http://unreal.epicgames.com Vulnerable games: - DeusEx <= 1.112fm - Devastation <= 390 - Mobile Forces <= 20000 - Nerf Arena Blast <= 1.2 - Postal 2 <= 1337 - Rune <= 107 - Tactical Ops <= 3.4.0 - TNN Pro Hunter (?) - Unreal 1 <= 226f - Unreal II XMP <= 7710 - Unreal Tournament <= 451b - Unreal Tournament 2003 <= 2225 - Unreal Tournament 2004 < 3236 - Wheel of Time <= 333b - X-com Enforcer NOT vulnerables: - America's Army - Dead man's hand - Magic Battlegrounds - Rainbow Six: Raven Shield - Splinter Cell: Pandora tomorrow - Star Trek: Klingon Honor Guard - Unreal Tournament 2004 >= 3236 - XIII Platforms: Windows, Linux and MacOS Bug: memory overwriting with possible code execution Exploitation: remote, versus servers Date: 18 June 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is the famous game engine developed by EpicGames and currently is the most used in the videogames world. Who doesn't know the great Unreal series??? ####################################################################### ====== 2) Bug ====== Almost all the games based on the Unreal engine support the "secure" query. This type of query is part of the so called Gamespy query protocol and is used to know if the game server is able to calculate an exact response using a provided string: http://unreal.epicgames.com/IpServer.htm http://aluigi.org/papers/gsmsalg.h The query is a simple UDP packet like \secure\ABCDEF If an attacker uses a long value in his secure query, in the Unreal based game server will be overwritten some important memory zones. Both remote code execution and spoofing are possibles. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/unsecure.zip or send a similar UDP packet to the query port of the game server: \secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaa ####################################################################### ====== 4) Fix ====== The bug has been noticed to EpicGames the 24 May 2004. Currently only UnrealTournament 2004 has been fixed with the recent 3236 patch. Check the homepages of the other vulnerable games for possible future fixes. However fixing the problem should be enough simple, at least for who has experience with the UnrealScript language. In fact the instructions that manage the \secure\ query and pass its value to the bugged function are written in UnrealScript code and are located in the files IpDrv.u or IpServer.u (they depend by the used engine version). #######################################################################