#######################################################################
Luigi Auriemma
Application: Unreal engine
http://www.unrealtechnology.com
Versions: almost any game which uses the Unreal engine is affected
by this vulnerability except some like Unreal Tournament
2004, Dead Man's Hand and possibly other old games
Platforms: Windows, Linux, Mac
Bug: format string
Exploitation: remote, versus client
Date: 11 Sep 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.
#######################################################################
The Unreal engine is affected by some format string vulnerabilities
which can be exploited by a malicious server when the victim client
connects to it.
The main format string can be exploited through a malformed CLASS
parameter of the DLMGR command but another one seems to be exploitable
through the forcing of the download of a malformed package (PKG).
Some older games instead can be exploited through a malformed LEVEL
parameter of the WELCOME command.
The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for
building an error message to visualize to the user (for example for a
missing class) using a max size of 4 kilobytes and, naturally, without
passing the needed format argument.
#######################################################################
http://aluigi.org/testz/unrealts.zip
http://aluigi.org/poc/unrealcfs.txt
#######################################################################
No fix
#######################################################################
Luigi Auriemma
http://aluigi.org