######################################################################## Luigi Auriemma Application: Unreal Tournament (Win version, Linux and Mac not tested) Version: all the version (436 vulnerable too) Bug: UT servers send a great number of packets to every host that send only 1 packet to them, for 2 min and 30 sec Date: 03 July 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ######################################################################## Sections: 1) Introduction 2) Bug 3) The Code 4) Fix ######################################################################## =============== 1) Introduction =============== - Important: Some days ago I have found, with some difficult, a discussion started by Jeff Calvert in the "Vuln-Dev" section of the SecurityFocus's Bugtraq, a lot of time ago (May 28 2000), that show the problem of do a DoS with the UT servers, but this discussion was dead after about some mails. I think that is INCREDIBLE that a so important and danger problem (for me a DDoS attack so simple to do is a real risk...) that is known from the year 2000 already exist. However it exist and this advisory want to explain it. ######################################################################## ====== 2) Bug ====== The UDP is a connection-less protocol so is "normal" that it is insecure, but UT don't do any control about the packets that it receives! However the bug is really simple and really danger, the follow is a simple example. First the list of the UT default ports found on the home of the game, http://unreal.epicgames.com: * UDP 7775 and 7776 are used only for LAN games. You don't need to route them through a firewall. * UDP 7777 is for gameplay (...the dangerous port...). * UDP 7778 is for server querying. * UDP 7779+ are allocated dynamically for each helper UdpLink objects, including UdpServerUplink objects. * UDP 27900 is for server querying, if you enable the master server uplink. Some master servers use other ports, like 27500. Now the example, we have 3 hosts: A - the attacker B - the UT server C - the victim - The host A send 1 empty UDP packet with the source IP of the host C to the port 7777 (UT default port) of the host B. - The host B begin to send about 10 packets/second of the size of 46 bytes to the host C and it will stop to send after 2 minutes and 30 seconds (default UT timeout). - The host C will receive all these packets and it will reply with an ICMP port unreachable message that will be ignored by the host B. - The host A after 2 mins and 30 secs can restart the attack. So with this bug an attacker can flood (in anonimity) other hosts. Every packets that the UT server send have a size of 46 bytes (and the packets that we send to it are 28 bytes), for this IN THEORY if I send 156 packets to an UT server with the sender address of an user that have a 56K modem and the sender port that is different for each packets (a good choose is to use incremental or random ports), this last will be flooded with 7200 bytes for 2 minutes and 30 seconds. The number of packets sended by the server seem to be the same also if I change the "Network speed" option in the net settings of UT. Naturally this attack have 2 effects. The first is the DoS against the victim and than the DoS versus the same UT server that must send a great quantity of packets, so it use a lot of network band and CPU. I think that this attack is a bit similar to the smurf attack, but UnrealTournament is really a great game with a lot of players and servers in all the world, so there is no problem to found servers to use for the attack (for the smurf attack you need misconfigured routers that are more difficult to found, but with UT you can found servers without any problem). For this I think that this bug is really danger and can be used for do DDoS. Then I hope that the same error wille not be present in UT 2003, but I also hope that this problem will be fixed soon. All the tests, are been made on my LAN on the Win version of UnrealTournament (v436). (Linux and Mac has not be tested, but it use the same protocol of sure). Naturally I have done also some test on Internet and the results are the same. ######################################################################## =========== 3) The Code =========== Look to the Utddos proof-of-concept (use with care!): http://aluigi.org/poc/utddos.c ######################################################################## ====== 4) Fix ====== IPDrv.dll from Epic home. ########################################################################