Application: Unreal engine http://unreal.epicgames.com Versions: any game based on this engine that supports the UMOD installation. An example are Unreal Tournament <= 451b and Unreal Tournament 2003 <= 2225. A full list of vulnerable games is not available. Platforms: Windows and MacOS (on Linux the UMODs are not officially supported) Bug: arbitrary file overwriting Risk: medium as diffusion but critical as damage Exploitation: local Date: 22 Apr 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org
The UMOD file format is a simple archive that contains all the files to install plus a manifest.ini file read by the UMOD installer and used to know some informations as the author of the mod, the description, the needed minimum game version and more.
Using the classical "..\" pattern in the filename and in its name into the manifest.ini file an attacker is able to go outside the game's directory and to overwrite ANY file in the partition on which the game is installed, without alerts or messages from the installer.
However is also possible create a normal UMOD file using the specific utilities commonly used to do it as UmodWizard, modifying a filename and its name in the manifest.ini file using the "..\" pattern just as "..\..\..\windows\notepad.exe" and then recalculating the checksum of the package with the -C option of my UMOD extractor utility http://aluigi.altervista.org/papers/umodext.zip.
