Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20522
HistorySep 15, 2008 - 12:00 a.m.

Clients format strings in the Unreal engine

2008-09-1500:00:00
vulners.com
15
JSON

#######################################################################

                         Luigi Auriemma

Application: Unreal engine
http://www.unrealtechnology.com
Versions: almost any game which uses the Unreal engine is affected
by this vulnerability except some like Unreal Tournament
2004, Dead Man's Hand and possibly other old games
Platforms: Windows, Linux, Mac
Bug: format string
Exploitation: remote, versus client
Date: 11 Sep 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.

#######################################################################

======
2) Bug

The Unreal engine is affected by some format string vulnerabilities
which can be exploited by a malicious server when the victim client
connects to it.

The main format string can be exploited through a malformed CLASS
parameter of the DLMGR command but another one seems to be exploitable
through the forcing of the download of a malformed package (PKG).
Some older games instead can be exploited through a malformed LEVEL
parameter of the WELCOME command.

The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for
building an error message to visualize to the user (for example for a
missing class) using a max size of 4 kilobytes and, naturally, without
passing the needed format argument.

#######################################################################

===========
3) The Code

http://aluigi.org/testz/unrealts.zip
http://aluigi.org/poc/unrealcfs.txt

  • unrealts 7777 unrealcfs.txt
    (or "unrealts -x 2 7777 unrealcfs.txt" for the Unreal 3 engine, use
    -x for others)
  • open the console of your client (~) and type: open 127.0.0.1:7777

#######################################################################

======
4) Fix

No fix

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON