####################################################################### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com http://www.epicgames.com Versions: this engine is used in many games like Unreal Tournament 2003 and 2004 (both vulnerables) and I have not tested them all although I'm enough sure that almost all are vulnerables Platforms: Windows, Linux and Mac Bugs: A] unexploitable buffer-overflow in the logging function B] hell bell on Windows dedicated servers Exploitation: A] remote versus server B] remote versus Windows dedicated server only Date: 18 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is a game engine developed by EpicGames (http://www.epicgames.com) used in many famous commercial games of which the main example is the just lucky Unreal Tournament series. ####################################################################### ======= 2) Bugs ======= -------------------------------------------------------- A] unexploitable buffer-overflow in the logging function -------------------------------------------------------- The logging function used in the Unreal engine (and which seems not possible to disable) is vulnerable to a buffer-overflow bug. The message passed to this function is used with appSprintf() for building the following unicode string using an output buffer of 1024 unicode chars: appSprintf(unicode_buffer, "%s: %s%s", "Log", message, "\r\n"); the appSprintf function works exactly as snprintf truncating the buffer automatically at 1024 unicode chars without adding the final NULL byte at the end if this limit is reached. Then the unicode_buffer is converted in an ascii string using a set of instructions similar to the following: for(i = 0; (cx = unicode_buffer[i]); i++) { if(cx >= 256) cx = 0x7f; ascii_buffer[i] = cx; } the instructions are enough corrects but unfortunately the destination ascii buffer is located in the stack just after the unicode_buffer and as already said this one is not delimited if the 1024 chars limit is reached. The result is that after 1024 unicode chars the instructions will start to get the unicode chars located in the output ascii buffer. The input chars are unicode chars (16 bit) and so those in the ascii buffer are ever major than the 256 number (0x0100) forcing the instructions to continue to put 0x7f chars until a NULL byte is finally reached... and in the meantime the return address has been completely overwritten by 0x7f7f7f7f. During my tests only UnrealTournament (version 451b) wasn't vulnerable because its appSprintf delimits the destination unicode buffer. How to exploit this vulnerability? For the moment I have found only the Unreal web server as way for exploiting this Denial of Service since it allows the sending and moreover the visualization of more than 1024 chars, but other better ways could exist. The internal web server built in the Unreal engine is a service useful for managing the own game server remotely through a web browser. This server is NOT enabled by default and works on port 80 if the admin doesn't change it. The files pointed by the server are those contained in the Web folder inside the game directory and /images is the only one which doesn't require authorization, and is also the one needed to exploit this bug. ----------------------------------------- B] hell bell on Windows dedicated servers ----------------------------------------- UPDATE 17 Jul 2008 Important update: the bug can be exploited also without the web admin interface but directly though a single UDP packet to the game server's port. This is possible through a particular command (BADBOY) which is implemented in the version 2 of the Unreal engine. This type of Denial of Service could seem something like a joke but it works terribly well. The non-graphical dedicated server of the Unreal engine (UCC) works in console and in some specific occasions it displays some of the data sent by the clients. The main idea behind this bug is forcing the server to visualize some invalid chars like the bell (0x07) for freezing partially the system and moreover the online game since the Windows console will start to beep without a break. In these cases the only way to stop the attack is killing the process and its console. The only good way I have found for exploiting this problem on the Unreal engine with a big amount of chars is through the web admin port since the invalid chars like 0x07 are not filtered. Some ways for exploiting the problem are requests to the /images folder, the Content-Type field using POST, any HEAD query and so on. This bug can be exploited only versus the UCC Windows dedicated server, since the in-game dedicated server has its own graphical interface and on Linux and other operating systems there is no system freeze caused by the bell... and sincerely I have never understood why the Windows console has a so stupid problem. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/unrwebdos.zip UPDATE 17 Jul 2008 http://aluigi.org/poc/unrhellbell.txt ####################################################################### ====== 4) Fix ====== No fix. No reply received from the developers. #######################################################################