Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Format string bug in EpicGames Unreal engine

From: Sebastian "Käppler" <sebastiankaeppler () web de>
Date: 11 Mar 2004 13:56:39 -0000
In-Reply-To: <20040310163053.6db31644.aluigi () altervista org>

It seems that all servers running the MOD "TacticalOps" for UT1 are not affected by the vulnerability. I ran a local 
test server and got the following output:

"PreLogin failure: Player Class: %n%n%n.s_Player_T is not valid! - reinstall Tact
ical Ops properly. (NEEDPW)"

it seems that the UT engine calls the "PreLogin" function of the currently active GameInfo class (which is written in 
UnrealScript) before processing the string.

TacticalOps code:

event PreLogin (string Options, string Address, out string Error, out string FailCode)
{
        local string Value;

        Super.PreLogin(Options,Address,Error,FailCode);
        Value=ParseOption(Options,"Class");
        if (  !Value ~= "s_SWAT.s_Player_T" )
        {
                Error="Player Class:" @ Value @ "is not valid! - reinstall Tactical Ops properly.";
                return;
        }
}

So basicially only a new GameInfo class writtin in UnrealScript containing the following should stop the crash problem:

event PreLogin (string Options, string Address, out string Error, out string FailCode)
{
    Super.PreLogin(Options,Address,Error,FailCode);
    if(InStr(ParseOption(Options,"Class"),"%")
        Error = "Crash exploit";
}






Application:  Unreal engine
             http://unreal.epicgames.com
Games:        - America's Army
             - DeusEx
             - Devastation
             - Magic Battlegrounds
             - Mobile Forces
             - Nerf Arena Blast
             - Postal 2
             - Rainbow Six: Raven Shield
             - Rune
             - Sephiroth: 3rd episode the Crusade
             - Star Trek: Klingon Honor Guard
             - Tactical Ops
             - TNN Pro Hunter
             - Unreal 1
             - Unreal II XMP
             - Unreal Tournament
             - Unreal Tournament 2003
             - Wheel of Time
             - X-com Enforcer
             - XIII
             (the list contains all the Unreal based games with
             multiplayer support released until now)
Platforms:    Windows, Linux and MacOS
Bug:          remote format string bug
Risk:         critical
Exploitation: remote, versus server
Date:         10 Mar 2004
Author:       Luigi Auriemma
             e-mail: aluigi () altervista org
             web:    http://aluigi.altervista.org
Previous By Date Next
Previous By Thread Next

Current thread: