<<< Date Index >>>     <<< Thread Index >>>

Re: Format string bug in EpicGames Unreal engine



In-Reply-To: <20040310163053.6db31644.aluigi@xxxxxxxxxxxxxx>

It seems that all servers running the MOD "TacticalOps" for UT1 are not 
affected by the vulnerability. I ran a local test server and got the following 
output:

"PreLogin failure: Player Class: %n%n%n.s_Player_T is not valid! - reinstall 
Tact
ical Ops properly. (NEEDPW)"

it seems that the UT engine calls the "PreLogin" function of the currently 
active GameInfo class (which is written in UnrealScript) before processing the 
string.

TacticalOps code:

event PreLogin (string Options, string Address, out string Error, out string 
FailCode)
{
        local string Value;

        Super.PreLogin(Options,Address,Error,FailCode);
        Value=ParseOption(Options,"Class");
        if (  !Value ~= "s_SWAT.s_Player_T" )
        {
                Error="Player Class:" @ Value @ "is not valid! - reinstall 
Tactical Ops properly.";
                return;
        }
}

So basicially only a new GameInfo class writtin in UnrealScript containing the 
following should stop the crash problem:

event PreLogin (string Options, string Address, out string Error, out string 
FailCode)
{
    Super.PreLogin(Options,Address,Error,FailCode);
    if(InStr(ParseOption(Options,"Class"),"%")
        Error = "Crash exploit";
}





>Application:  Unreal engine
>              http://unreal.epicgames.com
>Games:        - America's Army
>              - DeusEx
>              - Devastation
>              - Magic Battlegrounds
>              - Mobile Forces
>              - Nerf Arena Blast
>              - Postal 2
>              - Rainbow Six: Raven Shield
>              - Rune
>              - Sephiroth: 3rd episode the Crusade
>              - Star Trek: Klingon Honor Guard
>              - Tactical Ops
>              - TNN Pro Hunter
>              - Unreal 1
>              - Unreal II XMP
>              - Unreal Tournament
>              - Unreal Tournament 2003
>              - Wheel of Time
>              - X-com Enforcer
>              - XIII
>              (the list contains all the Unreal based games with
>              multiplayer support released until now)
>Platforms:    Windows, Linux and MacOS
>Bug:          remote format string bug
>Risk:         critical
>Exploitation: remote, versus server
>Date:         10 Mar 2004
>Author:       Luigi Auriemma
>              e-mail: aluigi@xxxxxxxxxxxxxx
>              web:    http://aluigi.altervista.org
>
>