Re: Format string bug in EpicGames Unreal engine
In-Reply-To: <20040310163053.6db31644.aluigi@xxxxxxxxxxxxxx>
It seems that all servers running the MOD "TacticalOps" for UT1 are not
affected by the vulnerability. I ran a local test server and got the following
output:
"PreLogin failure: Player Class: %n%n%n.s_Player_T is not valid! - reinstall
Tact
ical Ops properly. (NEEDPW)"
it seems that the UT engine calls the "PreLogin" function of the currently
active GameInfo class (which is written in UnrealScript) before processing the
string.
TacticalOps code:
event PreLogin (string Options, string Address, out string Error, out string
FailCode)
{
local string Value;
Super.PreLogin(Options,Address,Error,FailCode);
Value=ParseOption(Options,"Class");
if ( !Value ~= "s_SWAT.s_Player_T" )
{
Error="Player Class:" @ Value @ "is not valid! - reinstall
Tactical Ops properly.";
return;
}
}
So basicially only a new GameInfo class writtin in UnrealScript containing the
following should stop the crash problem:
event PreLogin (string Options, string Address, out string Error, out string
FailCode)
{
Super.PreLogin(Options,Address,Error,FailCode);
if(InStr(ParseOption(Options,"Class"),"%")
Error = "Crash exploit";
}
>Application: Unreal engine
> http://unreal.epicgames.com
>Games: - America's Army
> - DeusEx
> - Devastation
> - Magic Battlegrounds
> - Mobile Forces
> - Nerf Arena Blast
> - Postal 2
> - Rainbow Six: Raven Shield
> - Rune
> - Sephiroth: 3rd episode the Crusade
> - Star Trek: Klingon Honor Guard
> - Tactical Ops
> - TNN Pro Hunter
> - Unreal 1
> - Unreal II XMP
> - Unreal Tournament
> - Unreal Tournament 2003
> - Wheel of Time
> - X-com Enforcer
> - XIII
> (the list contains all the Unreal based games with
> multiplayer support released until now)
>Platforms: Windows, Linux and MacOS
>Bug: remote format string bug
>Risk: critical
>Exploitation: remote, versus server
>Date: 10 Mar 2004
>Author: Luigi Auriemma
> e-mail: aluigi@xxxxxxxxxxxxxx
> web: http://aluigi.altervista.org
>
>