hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
PiP
Jun 22 2004, 05:06 AM
I found it interesting ;-)

QUOTE

#######################################################################

                            Luigi Auriemma

Application:  Unreal Engine
              http://unreal.epicgames.com
Vulnerable games:
              - DeusEx                  <= 1.112fm
              - Devastation              <= 390
              - Mobile Forces            <= 20000
              - Nerf Arena Blast        <= 1.2
              - Postal 2                <= 1337
              - Rune                    <= 107
              - Tactical Ops            <= 3.4.0
              - TNN Pro Hunter (?)
              - Unreal 1                <= 226f
              - Unreal II XMP            <= 7710
              - Unreal Tournament        <= 451b
              - Unreal Tournament 2003  <= 2225
              - Unreal Tournament 2004  <  3236
              - Wheel of Time            <= 333b
              - X-com Enforcer
NOT vulnerables:
              - America's Army
              - Dead man's hand
              - Magic Battlegrounds
              - Rainbow Six: Raven Shield
              - Splinter Cell: Pandora tomorrow
              - Star Trek: Klingon Honor Guard
              - Unreal Tournament 2004  >= 3236
              - XIII
Platforms:    Windows, Linux and MacOS
Bug:          memory overwriting with possible code execution
Risk:        critical
Exploitation: remote, versus servers
Date:        18 June 2004
Author:      Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the famous game engine developed by EpicGames and
currently is the most used in the videogames world.
Who doesn't know the great Unreal series???


#######################################################################

======
2) Bug
======


Almost all the games based on the Unreal engine support the "secure"
query.
This type of query is part of the so called Gamespy query protocol and
is used to know if the game server is able to calculate an exact
response using a provided string:
  http://unreal.epicgames.com/IpServer.htm
  http://aluigi.altervista.org/papers/gsmsalg.h

The query is a simple UDP packet like \secure\ABCDEF
If an attacker uses a long value in his secure query, in the Unreal
based game server will be overwritten some important memory zones.

Both remote code execution and spoofing are possibles.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/unsecure.zip

or send a similar UDP packet to the query port of the game server:

\secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaa


#######################################################################

======
4) Fix
======


The bug has been noticed to EpicGames over 3 weeks ago.
Currently only UnrealTournament 2004 has been fixed with the recent
3236 patch.
Check the homepages of the other vulnerable games for possible future
fixes.

However fixing the problem should be enough simple, at least for who
has experience with the UnrealScript language.
In fact the instructions that manage the \secure\ query and pass its
value to the bugged function are written in UnrealScript code and are
located in the files IpDrv.u or IpServerver.u (they depend by the used
engine version).


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org
Nurgle
Jun 22 2004, 05:26 AM
Oh this sounds very interesting, THX Man
Arnie
Jun 22 2004, 10:37 AM
very interesting smile.gif
thanks a lot
brOmstar
Jun 22 2004, 10:15 PM
I agree this one is very interesting because it's widespreaded and no patch is released.

Is someone able to add shellcode? I will set up an UT-Server tomorrow for testing.
liquidSilver
Jun 22 2004, 10:20 PM
QUOTE (brOmstar @ Jun 23 2004, 12:15 AM)
I agree this one is very interesting because it's widespreaded and no patch is released.

Is someone able to add shellcode? I will set up an UT-Server tomorrow for testing.


QUOTE
The bug has been noticed to EpicGames over 3 weeks ago.
Currently only UnrealTournament 2004 has been fixed with the recent
3236 patch.
Check the homepages of the other vulnerable games for possible future
fixes.


There's a patch wink.gif

Edit: Woops, my bad UT2k4 is the only patched wink.gif
brOmstar
Jun 23 2004, 10:56 AM
I set up an UT server and it works. There is no patch available.

Can someone give some hints how to add shellcode to this bO..i will try to analyse the code via IDA pro.

It is possible to overwrite the ESI Register.

user posted image

Can someone explain the meaning of the ascii string next to ECX and EBP?

ps: is somebody interested in explain me how to modify the poc - exploit to add shellcode not a la 1,2,3 tut i'm interesting how it is possible to exploit such vuln? Thx.
biggrin.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.