####################################################################### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com Versions: almost any game which uses the Unreal engine is affected by this vulnerability except some like Unreal Tournament 2004, Dead Man's Hand and possibly other old games Platforms: Windows, Linux, Mac Bug: format string Exploitation: remote, versus client Date: 11 Sep 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ####################################################################### ====== 2) Bug ====== The Unreal engine is affected by some format string vulnerabilities which can be exploited by a malicious server when the victim client connects to it. The main format string can be exploited through a malformed CLASS parameter of the DLMGR command but another one seems to be exploitable through the forcing of the download of a malformed package (PKG). Some older games instead can be exploited through a malformed LEVEL parameter of the WELCOME command. The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for building an error message to visualize to the user (for example for a missing class) using a max size of 4 kilobytes and, naturally, without passing the needed format argument. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/unrealts.zip http://aluigi.org/poc/unrealcfs.txt - unrealts 7777 unrealcfs.txt (or "unrealts -x 2 7777 unrealcfs.txt" for the Unreal 3 engine, use -x for others) - open the console of your client (~) and type: open 127.0.0.1:7777 ####################################################################### ====== 4) Fix ====== No fix #######################################################################