incredible, unbelievable... Unreal!

aluigi · **Posted:** 31 Jul 2008 15:11

it's really hard to believe (for me too) but even in the 2008 one single anonymous UDP packet can be enough to execute code remotely on one of the biggest, complex, famous and played game of the world: Unreal Tournament 3, the "flagship" of the Unreal 3 engine.

http://aluigi.org/adv/ut3mendo-adv.txt

I have found a bug and released an advisory the same day for UT2004 too:

http://aluigi.org/adv/ut2004null-adv.txt

For UT3 I bet the imminent patch 1.3 will fix the problem (in fact 1.3beta4 is considered the final beta before the release, and has been a luck to find and publish this bug just in this exact moment so it will be hopefully fixed immediately) while for UT2004 I don't know if Epic will release a hotfix.

Stink · **Joined:** 01 Aug 2008 13:17 **Posts:** 1

Nice work aluigi... I tested it out on my own UT3 server and it works as promised (scary).

Did you report your findings to Epic? Not that you're under any obligation to...

aluigi · **Posted:** 01 Aug 2008 13:50

no, some months ago I have changed my policy about contacting vendor/developers for various reasons.
then in the past I have never had a quick response from Epic, usually were required months between my first mail and the final patch or hotfix

Sethioz · **Posted:** 01 Aug 2008 14:33

it is kind a unbeliavable hehe, ive heard that UT is VERY secured game and even that UT developers was fighting against sites who posted hacks for UT.
you can only crash a server using this bug ? without entering server yourself ?

aluigi · **Posted:** 01 Aug 2008 15:19

the bug (in reality are two bugs in the same piece of the protocol) can allow code execution too.
and yes, it's all completely outside the server

aluigi · **Posted:** 02 Aug 2008 17:24

update:
the NULL pointer I found in UT2004 affects other games too, like Red Orchestra, Shadow Ops and America's Army.
Then it's needed only one packet for testing the bug.

So I have updated the advisory and have released a new one for America's Army:

http://aluigi.org/adv/ut2004null-adv.txt
http://aluigi.org/adv/armynchia-adv.txt

evan1715 · **Posted:** 02 Aug 2008 23:38

does it effect anything before the unreal tournament 2004?
like ut2003 or anything before that?

aluigi · **Posted:** 03 Aug 2008 00:08

only the games listed in the ut2004null advisory: UT2004, Red Orchestra, Shadow Ops: Red Mercury and America's Army.

is possible that the problem affects also other games but I have already tested UT2003, Unreal 2, Dead Man's hand, fuel of war, land of the dead and republic commando and the bug isn't in them (and no, doesn't seem to be an option since I have already changed any of them in UT2004 and the bug is ever there).
Other older games have not been tested since they are already affected by other vulnerabilities.

aluigi · **Posted:** 14 Aug 2008 20:47

exactly as I programmed, patch 1.3 for UT3 fixes both the NULL pointer and the memory corruption vulnerability

a noob · **Joined:** 11 Aug 2008 16:01 **Posts:** 7

aluigi wrote:

no, some months ago I have changed my policy about contacting vendor/developers for various reasons.
then in the past I have never had a quick response from Epic, usually were required months between my first mail and the final patch or hotfix

I don't blame you one bit. After what Boston is doing doing to those MIT students, it is not even worth contacting them anymore.

aluigi · **Posted:** 11 Sep 2008 21:32

new vulnerability in Unreal Tournament 3:

http://aluigi.org/adv/ut3sticle-adv.txt

evan1715 · **Posted:** 12 Sep 2008 02:51

geez ut3 engine is glitchyyyy
how many does that add up to now?

aluigi · **Posted:** 14 Sep 2008 12:02

I have lost the count of all the bugs affecting this engine... it's really one of the buggest in the world

anyway this morning I have created some quick fixes in some minutes (this is the positive thing of bugs forced by the same games, through assertions and other checks) for the ut2004null, armynchia and ut3sticle vulnerabilities.
I have tested them here and everything works perfectly so if someone has a big server feel free to test these fixes deeply:

http://aluigi.org/patches.htm#unreal

aluigi · **Posted:** 15 Sep 2008 14:01

for the yesterday's post there is only to add that the fix for ut2004null/armynchia has been classified as "experimental work-around" (although I have had absolutely no problems on the AA and UT2004 test servers on Windows) while the ut3 fix is just a patch because UT3 handles perfectly the return value of the function which allocates the memory.
Fuel of War instead performs no check on the NULL pointer returned by the failed allocation (which works just like malloc) and so crashes trying to write data to the NULL location... blah

Instead the following is a strange thing I casually noticed after I released my ut2004null advisory:

http://www.xraygaming.com/forums/showthread.php?p=16974

the dates of those bans are over 10 days before my advisory which means that (if they are correct) someone else already found and exploited the same bug privately

aluigi · **Posted:** 16 Sep 2008 01:44

New vulnerability and relative fix:

http://aluigi.org/adv/unreaload-adv.txt

evan1715 · **Posted:** 16 Sep 2008 21:47

geez luigi, ur finding these daily for unreal.

aluigi · **Posted:** 19 Sep 2008 12:45

note: the updated executable released by Epic for UT3 (http://www.epicgames.com/download/ut3.exe) does NOT fix the "unreaload" vulnerability released a couple of days ago

aluigi · **Posted:** 21 Sep 2008 01:38

Epic has released a new executable for UT3 at the same location and with the same build of that other one (3614) which fixes also the unreaload bug... why don't they have changed the build number of this version?!?!?!?

the following is a new vulnerability, a directory traversal in the webadmin interface:

http://aluigi.org/adv/ut3webown-adv.txt

affects only UT3 1.3, read the advisory to see also the exact changes between 1.2 and 1.3 which have caused the bug

evan1715 · **Posted:** 21 Sep 2008 02:11

so they made a patch, but the version # is the same.... what the -- why?
so this vulnerability u found doesn't effect the 'patched' version?

aluigi · **Posted:** 21 Sep 2008 10:23

yes they left the version number as the same, in fact I casually redownload the executable and it has the same version of the one I already downloaded the day before except that the new one fixes the "unreaload" bug and the old one not.

The directory traversal instead works with any build number of version 1.3 so both the original 3601 and the latest 3614 hotfixes.

evan1715 · **Posted:** 21 Sep 2008 14:13

so it only fixed 1 thing from ur list of bugs?

aluigi · **Posted:** 21 Sep 2008 14:18

it fixes both ut3sticle and unreaload.
the new bug (ut3webown) has been just released and I doubt it can be fixed with a new executable, they will need to upload probably a new uWeb.u file

aluigi · **Posted:** 22 Sep 2008 00:43

has been just released webadmin 1.7 which fixes the directory traversal in UT3

aluigi · **Posted:** 26 Sep 2008 14:45

the following two posts are in italian (don't worry the links, the dates and the mails are in english) and are another proof of how ignorants and lamers exist also (and in some cases, moreover) in the admin side:

post4197.html#p4197
post4222.html#p4222

although they were aware of the problems from months (for one of the bugs they knew its effects even before my advisory) they were too lazy or just technically unable to find solutions or doing "real" information about the facts.
For them has been easier to do disinformation for hiding their incompetence.. and making me lot of laughs because seeing ignorants like some of these guys called elmuerte and wormbo who try to talk about "bug researching", "security" and moreover "standards" knowing NOTHING of this field is really incredibly funny and ridiculous for themselve

luckily not all the admins or the communities are like these "losers", for example Gioggiolo solved the problem by himself with iptables a couple of weeks before the increasing of attacks from some script-kiddies, in America's Army the unofficial fix arrived in less than 10 days http://www.hazardaaclan.com/storage/voi ... _patch.cpp and for ut2004null and ut3sticle I created a work-around and a patch the same day I have been aware of the mass exploiting of the vulnerabilities.

Sethioz · **Posted:** 26 Sep 2008 17:22

OMFG !! this is seriously RIDICULOUS !
those ppl are complete idiots .. as you already said. i so hate them. they find out that you found exploit and then they call you loser, idiot, noob ..etc. (idiots, noobs ..etc cant even make such things).
To me it seems those ppl are just jelous that you can find such things and that they too dumb to fix it. so they just talk crap and WHINE and point fingers..
ofcourse worst thing is IGNORING the facts and truth...thats really sad :(

If there is anybody to blame, its lazy ass game developers and server admins who too dumb or lazy to fix those bugs.

SomaFM · **Joined:** 16 Aug 2007 06:25 **Posts:** 367

Sethioz wrote:

If there is anybody to blame, its lazy ass game developers and server admins who too dumb or lazy to fix those bugs.[/color]

Agreed. If anyone is to get blamed or scolded, it should be the developers for not fixing bugs in a timely manner.

Luigi is doing them a favor, because some vulnerabilities stay private, leaving server admins and players without answers as to why their client/server isn't functioning normally.

Sethioz · **Posted:** 26 Sep 2008 23:47

Quote:

because some vulnerabilities stay private, leaving server admins and players without answers as to why their client/server isn't functioning normally.

exactly ! For example i know few bugs for few games and im not going to share them, because i dont want anybody to make fix for it.

as about their blame on Luigi, where they say that he dont give heads up for them.. why should he ? Luigi used to do that, but what he got back ? Im pretty sure Luigi explained somewhere on this forum why he don't contact developers anymore.

Luigi Auriemma

incredible, unbelievable... Unreal!