####################################################################### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com Games: Unreal Tournament 2004, UT2003, Postal 2, Raven Shield, SWAT4 and many of the other games based on the old versions of the Unreal engine (1, 2 and 2.5). for the most recent games and versions of the engine the bug or even the bugged function "could" no longer exist, anyway it's necessary to manually test each game for the confirmation Platforms: Windows, Linux, MacOSX Bug: unicode buffer-overflow in UpdateConnectingMessage Exploitation: remote, versus client Date: 06 Jul 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ####################################################################### ====== 2) Bug ====== I premise that this advisory acts mainly as a reference for the "less recent" games that still now have a huge community and player base like UT2004. The clients are vulnerable to an unicode buffer-overflow in the UpdateConnectingMessage function used during the downloading or tentative of downloading (all automatics) of the missing packages used on the server: void UGameEngine::UpdateConnectingMessage() { if(GPendingLevel && Players.Num() && Players(0)->Actor) { if(Players(0)->Actor->ProgressTimeOut < Players(0)->Actor->Level->TimeSeconds) { TCHAR Msg1[256], Msg2[256]; appSprintf( Msg1, *LocalizeProgress(TEXT("ConnectingText"),TEXT("Engine")) ); appSprintf( Msg2, *LocalizeProgress(TEXT("ConnectingURL"),TEXT("Engine")), *GPendingLevel->URL.Host, *GPendingLevel->URL.Map ); SetProgress( Msg1, Msg2, 60.f ); } } } The overflow happens due to the fact that appSprintf is a wrapper for _vsnwprintf using a max size of 1024 bytes versus the 256 of the destination buffer. Note that the clients must have the downloads enabled ([IpDrv.TcpNetDriver]->AllowDownloads=True) which is default on any game. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/unrealts.zip http://aluigi.org/poc/unrealcbof.txt - unrealts 7777 unrealcbof.txt (or "unrealts -x 2 7777 unrealcbof.txt" for the Unreal 3 engine, use -x for others) - open the console of your client (~ or F10 on some games) and type: open 127.0.0.1:7777 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################