UT2003 client passive DoS exploit From: Auriemma Luigi <aluigi@pivx.com> (PivX) To: bugtraq@securityfocus.com Date: Yesterday 22.19.18 I have written an exploit about another effect of the "Negative sign bug" I discovered some months ago in the Unreal engine (http://www.pivx.com/luigi/adv/ueng-adv.txt). The vulnerable softwares are ONLY the clients of the retail UnrealTournament 2003 v2199 and the demo v2206. The patch v2225 fixes the problem in the retail game. NOTE that the link to the v2225 patch for Linux has not yet inserted on the official homepage of the game http://www.unrealtournament2003.com but it exist and you can download directly from the following URL or from any other mirror: http://unreal.epicgames.com/linux/ut2003/ut2003lnx_patch2225.tar.bz2 Instead for the demo v2206 you must download the fixed IpDrv file from here: Win: http://unreal.epicgames.com/files/UT2003Demo2206WindowsUpdate1.zip Linux: http://unreal.epicgames.com/files/IpDrv.so.bz2 The exploit simulates an Unreal Tournament 2003 server that accepts connections to the information port (default 10777) and when a client connects to it, the server will send a formatted UDP packet that contains a negative index number that consumes a customized quantity of memory on the remote client and can crash it if this quantity cannot be allocated (for more informations about this type of bug read my old ueng-adv.txt advisory). The exploit can be compiled on both Windows and Unix systems: http://www.pivx.com/luigi/poc/ut2003pdos.zip The best solution for an attacker to maliciously use the exploit is in coupling with a heartbeat emulator that lets your IP address to be added to the official online game servers list of Epic (http://ut2003master.epicgames.com/serverlist/full-all.txt). I have written an example code that makes the work and can be easily customized: http://www.pivx.com/luigi/testz/ut2003ms.zip NOTE: for using the exploit in coupling with the heartbeat emulator you need to specify 7778 as default listening port. BYEZ --- PivX Bug Researcher http://www.pivx.com/luigi/
Created attachment 11983 [details] New ebuild with fix included This is a new ebuild which will download and install the patch. It also includes an application icon for Gnome and KDE (freedesktop.org guidelines).
Created attachment 11984 [details] .desktop file Here is the .desktop file for the above ebuild
Created attachment 11990 [details] Fixed ebuild to use games.eclass This has been fixed to properly implement the security patch (SNAFU on my part) and also to conform to the games eclass. This should make for a better default installation.
glsa sent
This new ebuild does not work and causes an error as described in http://bugs.gentoo.org/show_bug.cgi?id=21152
This error is caused directly by the "IpDrv.so" file according to my tests. Without the new IpDrv.so file, the game works correctly. Now it breaks.
I'm going to contact Ryan at Icculus to see if he could shed some light on this.
Please let me know as this seems to be the "official" fix for the demo. Also, regarding the other bug #21152. It appears that the ut2003-demo.desktop file was not added to CVS. It is also needed for the ebuild to work correctly without bugs.
Apparently this has reverted to the old ebuild. This of course removed the desktop icon for KDE/Gnome. Is this being reimplemented? Also, isn't the "games" group the way games are "supposed" to be installed on Gentoo?
Quote from the games.eclass file in portage... # This is the games ebuild for standardizing the install of games ... # you better have a *good* reason why you're *not* using games.eclass # in an ebuild in app-games So why exactly is using the "games" group evil again? Would it not make sense to actually be using the proposed standard for games ebuilds on Gentoo?
Adding games@gentoo.org and sending an email to Ryan Gordon to see what he has to say about this, since it seems to have died.
have you ever received a response wolf about this ?
Nope. I'll contact him again today.
Is this still an issue?
It is still an issue and there is no known fix at this time.
Well, after discussion with rajiv on the security team, we have decided to close this one as RESOLVED - CANTFIX. Unfortunately, the game is binary-only. Without a proper *WORKING* patch from the vendor, there is little we can do about it. If you have any questions, feel free to contact me directly.
