Unexploitable buffer-overflow in the logging function of the Unreal engine

2007.08.22
Credit: Luigi Auriemma
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-4443 | CVE-2007-4442
CWE: N/A

####################################################################### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com http://www.epicgames.com Versions: this engine is used in many games like Unreal Tournament 2003 and 2004 (both vulnerables) and I have not tested them all although I'm enough sure that almost all are vulnerables Platforms: Windows, Linux and Mac Bugs: A] unexploitable buffer-overflow in the logging function B] web admin hell bell on Windows dedicated servers Exploitation: A] remote versus server B] remote versus Windows dedicated server only Date: 18 Aug 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is a game engine developed by EpicGames (http://www.epicgames.com) used in many famous commercial games of which the main example is the just lucky Unreal Tournament series. ####################################################################### ======= 2) Bugs ======= -------------------------------------------------------- A] unexploitable buffer-overflow in the logging function -------------------------------------------------------- The logging function used in the Unreal engine (and which seems not possible to disable) is vulnerable to a buffer-overflow bug. The message passed to this function is used with appSprintf() for building the following unicode string using an output buffer of 1024 unicode chars: appSprintf(unicode_buffer, "%s: %s%s", "Log", message, "\r\n"); the appSprintf function works exactly as snprintf truncating the buffer automatically at 1024 unicode chars without adding the final NULL byte at the end if this limit is reached. Then the unicode_buffer is converted in an ascii string using a set of instructions similar to the following: for(i = 0; (cx = unicode_buffer[i]); i++) { if(cx >= 256) cx = 0x7f; ascii_buffer[i] = cx; } the instructions are enough corrects but unfortunately the destination ascii buffer is located in the stack just after the unicode_buffer and as already said this one is not delimited if the 1024 chars limit is reached. The result is that after 1024 unicode chars the instructions will start to get the unicode chars located in the output ascii buffer. The input chars are unicode chars (16 bit) and so those in the ascii buffer are ever major than the 256 number (0x0100) forcing the instructions to continue to put 0x7f chars until a NULL byte is finally reached... and in the meantime the return address has been completely overwritten by 0x7f7f7f7f. During my tests only UnrealTournament (version 451b) wasn't vulnerable because its appSprintf delimits the destination unicode buffer. How to exploit this vulnerability? For the moment I have found only the Unreal web server as way for exploiting this Denial of Service since it allows the sending and moreover the visualization of more than 1024 chars, but other better ways could exist. The internal web server built in the Unreal engine is a service useful for managing the own game server remotely through a web browser. This server is NOT enabled by default and works on port 80 if the admin doesn't change it. The files pointed by the server are those contained in the Web folder inside the game directory and /images is the only one which doesn't require authorization, and is also the one needed to exploit this bug. --------------------------------------------------- B] web admin hell bell on Windows dedicated servers --------------------------------------------------- This type of Denial of Service could seem something like a joke but it works terribly well. The non-graphical dedicated server of the Unreal engine (UCC) works in console and in some specific occasions it displays some of the data sent by the clients. The main idea behind this bug is forcing the server to visualize some invalid chars like the bell (0x07) for freezing partially the system and moreover the online game since the Windows console will start to beep without a break. In these cases the only way to stop the attack is killing the process and its console. The only good way I have found for exploiting this problem on the Unreal engine with a big amount of chars is through the web admin port since the invalid chars like 0x07 are not filtered. Some ways for exploiting the problem are requests to the /images folder, the Content-Type field using POST, any HEAD query and so on. This bug can be exploited only versus the UCC Windows dedicated server, since the in-game dedicated server has its own graphical interface and on Linux and other operating systems there is no system freeze caused by the bell... and sincerely I have never understood why the Windows console has a so stupid problem. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/unrwebdos.zip ####################################################################### ====== 4) Fix ====== No fix. No reply received from the developers. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top