#######################################################################

                             Luigi Auriemma

Application:  Unreal engine
              http://unreal.epicgames.com
Games:        - America's Army
              - DeusEx
              - Devastation
              - Magic Battlegrounds
              - Mobile Forces
              - Nerf Arena Blast
              - Postal 2
              - Rainbow Six: Raven Shield
              - Rune
              - Sephiroth: 3rd episode the Crusade
              - Star Trek: Klingon Honor Guard
              x Tactical Ops (NOT VULNERABLE)
              - TNN Pro Hunter
              - Unreal 1
              - Unreal II XMP
              - Unreal Tournament                               <= 451b
              - Unreal Tournament 2003
              x Unreal Tournament 2004 (NOT VULNERABLE)
              - Wheel of Time
              - X-com Enforcer
              - XIII
              (the list contains all the Unreal based games with
              multiplayer support released until now, I have NOT tested
              them all)
Platforms:    Windows, Linux and MacOS
Bug:          remote format string bug
Exploitation: remote, versus server
Date:         10 Mar 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the famous game engine developed by EpicGames
(http://www.epicgames.com) and used by a wide number of games.


#######################################################################

======
2) Bug
======


The problem is a format string bug in the Classes management.
Each time a client connects to a server it sends the names of the
objects it uses (called classes).

If an attacker uses a class name containing format parameters (as %n,
%s and so on) he will be able to crash or also to execute malicious
code on the remote server.

This is an in-game attack so the attacker must have access to the
server, for example if the server is password protected he must know
the password.


#######################################################################

===========
3) The Code
===========


UPDATE 17 Jul 2008

  http://aluigi.org/poc/unrfs.txt


#######################################################################

======
4) Fix
======


This bug was signaled to EpicGames EXACTLY the 2nd September 2003
(today is the 10th March so over 6 months ago) but at the beginning it
was underrated and was taken a bit more seriously only at November.

All the developers of the vulnerable games have been alerted by
EpicGames through their internal mailing-list.


About UT and UT2003:
EpicGames refused to release a quick-fix for UnrealTournament and
UnrealTournament 2003 so the fix was inserted in the planned patch
as they do for graphic bugs and other small problems... the patch has
not been released yet and is impossible to know when it will be ready.


QUICK FIXES ARE THE SOLUTION: SECURITY BUGS ARE *NOT* COMMON BUGS!!!


#######################################################################