Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 54726 - games-fps/unreal* engine vulnerability in "secure" query
Summary: games-fps/unreal* engine vulnerability in "secure" query
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-22 05:09 UTC by Chris Gianelloni (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Gianelloni (RETIRED) gentoo-dev 2004-06-22 05:09:57 UTC
#######################################################################

                             Luigi Auriemma

Application:  Unreal Engine
              http://unreal.epicgames.com
Vulnerable games:
              - DeusEx                   <= 1.112fm
              - Devastation              <= 390
              - Mobile Forces            <= 20000
              - Nerf Arena Blast         <= 1.2
              - Postal 2                 <= 1337
              - Rune                     <= 107
              - Tactical Ops             <= 3.4.0
              - TNN Pro Hunter (?)
              - Unreal 1                 <= 226f
              - Unreal II XMP            <= 7710
              - Unreal Tournament        <= 451b
              - Unreal Tournament 2003   <= 2225
              - Unreal Tournament 2004   <  3236
              - Wheel of Time            <= 333b
              - X-com Enforcer
NOT vulnerables:
              - America's Army
              - Dead man's hand
              - Magic Battlegrounds
              - Rainbow Six: Raven Shield
              - Splinter Cell: Pandora tomorrow
              - Star Trek: Klingon Honor Guard
              - Unreal Tournament 2004   >= 3236
              - XIII
Platforms:    Windows, Linux and MacOS
Bug:          memory overwriting with possible code execution
Risk:         critical
Exploitation: remote, versus servers
Date:         18 June 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the famous game engine developed by EpicGames and
currently is the most used in the videogames world.
Who doesn't know the great Unreal series???


#######################################################################

======
2) Bug
======


Almost all the games based on the Unreal engine support the "secure"
query.
This type of query is part of the so called Gamespy query protocol and
is used to know if the game server is able to calculate an exact
response using a provided string:
  http://unreal.epicgames.com/IpServer.htm
  http://aluigi.altervista.org/papers/gsmsalg.h

The query is a simple UDP packet like \secure\ABCDEF
If an attacker uses a long value in his secure query, in the Unreal
based game server will be overwritten some important memory zones.

Both remote code execution and spoofing are possibles.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/unsecure.zip

or send a similar UDP packet to the query port of the game server:

\secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaa


#######################################################################

======
4) Fix
======


The bug has been noticed to EpicGames over 3 weeks ago.
Currently only UnrealTournament 2004 has been fixed with the recent
3236 patch.
Check the homepages of the other vulnerable games for possible future
fixes.

However fixing the problem should be enough simple, at least for who
has experience with the UnrealScript language.
In fact the instructions that manage the \secure\ query and pass its
value to the bugged function are written in UnrealScript code and are
located in the files IpDrv.u or IpServerver.u (they depend by the used
engine version).


#######################################################################



I am currently investigating the possibility of fixes for Unreal Tournament, Unreal Tournament 2003, and Postal 2 Demo (unsure if vulnerable), which are all in portage.  I am also investigating fixes for other games which may be added, such as Rune, as it will block their possible addition to portage.

If anyone would wish to help in testing, please do so and report to this bug.
Comment 1 Chris Gianelloni (RETIRED) gentoo-dev 2004-06-22 18:52:35 UTC
Fixed version of ut2004 has been marked stable.  I will be looking into ut2003 shortly.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-06-30 01:51:50 UTC
Chris : could you list the Gentoo packages affected by this vulnerability and which have already been fixed so that we can keep track ? In my understanding there is :

games-fps/ut2003
games-fps/ut2004 (fixed)

But I'm not sure about games-fps/ut2003-demo, games-fps/unreal, games-fps/ut2004-demo, games-fps/postal2mpdemo ?
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2004-06-30 05:00:26 UTC
games-fps/unreal (vulnerable, and still masked from last engine exploit)
games-fps/unreal-tournament (vulnerable, and still masked from last engine exploit)
games-fps/unreal-tournament-goty (vulnerable, and still masked from last engine exploit)
games-fps/ut2003 (vulnerable, not masked)
games-fps/ut2003-demo (vulnerable, not masked)
games-server/ut2003-ded (vulnerable, not masked)
games-fps/ut2004 (fixed)
games-fps/ut2004-demo (vulnerable, not masked)
games-server/ut2004-ded (not yet added, I have an ebuild, but it is already fixed)

games-fps/postal2demo (possibly vulnerable?)

Of course, games-fps/americas-army is not vulnerable.
I am researching on ut2003 and the -demos currently.  I know that there is a new ut2003 patch in BETA, as I'm a beta tester for it, and it resolves this issue, but it has not been released to the public yet.
Comment 4 Chris Gianelloni (RETIRED) gentoo-dev 2004-06-30 09:30:56 UTC
OK.  I have a workaround for UT2003* and UT2004* that I know will work.  I'll also see if it works for the other unreal* games.  If it does, I will be adding it to portage this evening.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-07-07 14:03:07 UTC
Chris: what's the status on this ? Did you include all the fixes in portage ? Are there unfixable packages ?
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2004-07-08 10:53:45 UTC
Sorry about that, I've been held up with work obligations.  The problem with my proposed "fix" as I have found out, is that while it does stop the possibility of the server being exploited remotely, it also removes the possibility of the server being listed on GameSpy, which is how servers get listed for public use.  This pretty much makes a dedicated server quite worthless, in my opinion.

Now, it does not appear that ut2003-demo does an uplink to GameSpy, at all.  This means that while the engine is vulnerable, there is no way to actually exploit this.  I have fixed ut2004-demo.

I am adding a quick fix to ut2003 and ut2003-ded, which will hold until the next patch goes final.

Everything for ut200* has been updated in portage now.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-07-16 06:03:24 UTC
If we ignore the masked packages, here we have :

Vulnerable :
<=games-fps/ut2003-2225-r2
<=games-server/ut2003-ded-2225-r1
<games-fps/ut2004-3236
<=games-fps/ut2004-demo-3120-r3

Fixed :
>=games-fps/ut2003-2225-r3
>=games-server/ut2003-ded-2225-r2
>=games-fps/ut2004-3236
>=games-fps/ut2004-demo-3120-r4

If postal2demo is not vulnerable, I just realised we are ready for a GLSA :) Chris, please confirm.
Comment 8 Chris Gianelloni (RETIRED) gentoo-dev 2004-07-16 13:06:33 UTC
We're GLSA ready...
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-07-19 05:39:40 UTC
GLSA drafted, security please review
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-07-19 13:56:35 UTC
GLSA 200407-14