Bug 44351 - games-fps/unreal engine vulnerability
|
Bug#:
44351
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: CLOSED
|
Severity: enhancement
|
Priority: P1
|
|
Resolution: CANTFIX
|
Assigned To: security@gentoo.org
|
Reported By: carlo@gentoo.org
|
|
Component: Security
|
|
|
URL:
|
|
Summary: games-fps/unreal engine vulnerability
|
|
Keywords:
|
|
Status Whiteboard: B2 [upstream+ masked] condordes
|
|
Opened: 2004-03-11 05:50 0000
|
http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0
Description:
The problem is a format string bug in the Classes management.
Each time a client connects to a server it sends the names of the
objects it uses (called classes).
If an attacker uses a class name containing format parameters (as %n,
%s and so on) he will be able to crash or also to execute malicious
code on the remote server.
Affected ebuilds:
UT2003, America's Army, ... (maybe more, i'm not a game freak)
i'm not 100% sure but i believe UT-451 and UT:GOTY-451 are not affected
the post-436 versions of UT are maintained by this group:
http://utpg.org/
their news page talks about 'Fix for Player Login Crash Bug' (dated Jul-16-03)
the 451 have these fixes
No idea SpanKY - from the linked bugtraq msg:
>About UT and UT2003:
>EpicGames refused to release a quick-fix for UnrealTournament and
>UnrealTournament 2003 so the fix was inserted in the planned patch
>as they do for graphic bugs and other small problems... the patch has
>not been released yet and is impossible to know when it will be ready.
I am looking into this and will hopefully have a solution some time soon.
However, given Epic's take on such things, I doubt we will see any form of fix until they release their next round of patches.
Is there any word on Epic IRT this??
Thanks!
-C
Epic? Security fix? Surely you jest!
Epic doesn't release "hot fixes" of any kind, so we have to wait until the next full patch before this will get fixed.
Wow. This is kinda a serious problem with QA.
Exploitable packages should not be in the portage tree. If no fix exists then It should be masked. But I/we know that masking games might not fly.
But reading ..
"About UT and UT2003:
EpicGames refused to release a quick-fix for UnrealTournament and
UnrealTournament 2003 so the fix was inserted in the planned patch
as they do for graphic bugs and other small problems... the patch has
not been released yet and is impossible to know when it will be ready."
Because this bug allows arbitrary remote code execution, I consider it a fairly
serious issue. Consequently, the security team intends to hard mask any
affected packages on or after 0600 on Wednesday. comments/concerns should be
posted to the thread on gentoo-core and/or here.
--kurt
errr....make that 0600 on Thursday...
The following packages are expected to be masked because of this:
games-fps/unreal
games-fps/unreal-tournament
games-fps/unreal-tournament-goty
games-fps/unreal-tournament-infiltration
games-fps/unreal-tournament-strikeforce
games-fps/unreal-tournament-bonuspacks
games-fps/ut2003-bonuspack-epic
games-fps/ut2003
games-fps/ut2003-demo
games-server/ut2003-ded
games-fps/americas-army
Some of these packages may not be directly affected, but depend on other packages that are, so masking them as well limits the tree breakage.
If we determine that some/all of these games are, in fact, not vulnerable to the reported bug, we can unmask them individually as necessary.
after looking at the site Mike posted above, we may be able to avoid masking:
games-fps/unreal-tournament
games-fps/unreal-tournament-goty
games-fps/unreal-tournament-infiltration
games-fps/unreal-tournament-strikeforce
games-fps/unreal-tournament-bonuspacks
Not sure about games-fps/unreal, however.
there are a few parts to unreal ...
(1) it can only use the UT libraries from 436 atm ... 451 crashes it
(2) it's a single player game and although it is possible to host a server with it, i dont know of anyone who would do so for the internet ... it's only compatible with the same setup (linux unreal binary built on top of UT 436 libraries) ... in other words, Windows Unreal and UT (on any OS) is not compatible
From the utpg.org home page news item:
--------------------------------------------------------
Fix for Player Login Crash Bug
UT General :: Jul-16-03
From UnrealAdmin.org, here is a fix for the player login crash bug. This will be incorporated into the next patch as well:
All admins are advised to open their Core.int files and modify the following entry:
LoadClassMismatch=%s is not a child class of %s.%s
Change it to read:
LoadClassMismatch=%s is not a child class of %s.
This will prevent malicious clients from crashing your server by specifying an invalid player class when logging in. This fix should only be applied to Unreal Tournament servers, and you should restart your server after modifying the Core.int file in order to apply the changes.
--------------------------------------------------------
That does not appear to be a fix for the issue reported in this bug:
"If an attacker uses a class name containing format parameters (as %n,
%s and so on) he will be able to crash or also to execute malicious
code on the remote server."
As such, recommending we hard mask all packages for now until we have enough time to test/validate vulnerability.
ut2003, ut2003-bonuspack-epic, ut2003-ded, ut2003-demo, and americas-army have
been fixed.
Maybe we should issue a "Temporary" GLSA with the partial fix and reasons why
the other packages are masked ?
just tested ut-451 and it is not fixed
utpg.org has released 451b to 'Fixed a couple of bugs that caused the client and server to crash when invalid classes are loaded'
however, they've only released for windows ... i e-mailed them asking about the linux version
utpg got back to me and they said they're working on 451b for linux and it
should 'be out shortly' ...
we could wait for them before issuing a GLSA as i think it's the only game
that'll be addressed in the near future ...
Still no sign of 451B for Linux on utpg.org. I think we should release a GLSA,
unless someone has inside contacts with utpg defining what they mean by
"shortly".
-K
Reemailed UTPG team to ask for Linux patch availability dates
Status update (masked ebuilds)
There is a 451b of UTPG now... perhaps we should revisit this now?
Nevermind... I see now that it is the Windows version... perhaps I should read
better before posting...
CondorDes:
It's now assigned to you -- please check now and then if UTPG finally released that 451B patch for Linux : http://utpg.org/
no updates on this bug in forever -- site hasn't been updated since before
that. packages are hard-masked. assuming this is a bug upstream doesn't plan
to fix.
closing as cantfix. we can re-open if/when upstream fixes.
too bad
is there any way to fix this security bug OUTSIDE unreal??? without sandboxing
unreal???
such as tcp-ip filtering???
No.
The only solution is to not run a server.
games-fps/unreal
games-fps/unreal-tournament
games-fps/unreal-tournament-goty
These are still vulnerable (and masked) because of this and we don't ever
expect there to be a proper fix for them.
(In reply to comment #26)
> No.
>
> The only solution is to not run a server.
>
> games-fps/unreal
> games-fps/unreal-tournament
> games-fps/unreal-tournament-goty
>
> These are still vulnerable (and masked) because of this and we don't ever
> expect there to be a proper fix for them.
>
so this is only for a SERVER?
if i run unreal and i conect to a server i have no risk at all?(with this bug)
that is great...i haven't understood this that way
so if i don't serve a game and sandbox the server app(i've a working uml) i'll
be able to play this game...
thank a lot
