Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 15:13

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 27 posts ] 
Author Message
 Post subject: incredible, unbelievable... Unreal!
PostPosted: 31 Jul 2008 15:11 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
it's really hard to believe (for me too) but even in the 2008 one single anonymous UDP packet can be enough to execute code remotely on one of the biggest, complex, famous and played game of the world: Unreal Tournament 3, the "flagship" of the Unreal 3 engine.

http://aluigi.org/adv/ut3mendo-adv.txt

I have found a bug and released an advisory the same day for UT2004 too:

http://aluigi.org/adv/ut2004null-adv.txt

For UT3 I bet the imminent patch 1.3 will fix the problem (in fact 1.3beta4 is considered the final beta before the release, and has been a luck to find and publish this bug just in this exact moment so it will be hopefully fixed immediately) while for UT2004 I don't know if Epic will release a hotfix.


Top
 Profile  
 
 
 Post subject:
PostPosted: 01 Aug 2008 13:22 

Joined: 01 Aug 2008 13:17
Posts: 1
Nice work aluigi... I tested it out on my own UT3 server and it works as promised (scary).

Did you report your findings to Epic? Not that you're under any obligation to...


Top
 Profile  
 
 Post subject:
PostPosted: 01 Aug 2008 13:50 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no, some months ago I have changed my policy about contacting vendor/developers for various reasons.
then in the past I have never had a quick response from Epic, usually were required months between my first mail and the final patch or hotfix


Top
 Profile  
 
 Post subject:
PostPosted: 01 Aug 2008 14:33 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
it is kind a unbeliavable hehe, ive heard that UT is VERY secured game and even that UT developers was fighting against sites who posted hacks for UT.
you can only crash a server using this bug ? without entering server yourself ?


Top
 Profile  
 
 Post subject:
PostPosted: 01 Aug 2008 15:19 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the bug (in reality are two bugs in the same piece of the protocol) can allow code execution too.
and yes, it's all completely outside the server


Top
 Profile  
 
 Post subject:
PostPosted: 02 Aug 2008 17:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
update:
the NULL pointer I found in UT2004 affects other games too, like Red Orchestra, Shadow Ops and America's Army.
Then it's needed only one packet for testing the bug.

So I have updated the advisory and have released a new one for America's Army:

http://aluigi.org/adv/ut2004null-adv.txt
http://aluigi.org/adv/armynchia-adv.txt


Top
 Profile  
 
 Post subject:
PostPosted: 02 Aug 2008 23:38 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
does it effect anything before the unreal tournament 2004?
like ut2003 or anything before that?


Top
 Profile  
 
 Post subject:
PostPosted: 03 Aug 2008 00:08 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
only the games listed in the ut2004null advisory: UT2004, Red Orchestra, Shadow Ops: Red Mercury and America's Army.

is possible that the problem affects also other games but I have already tested UT2003, Unreal 2, Dead Man's hand, fuel of war, land of the dead and republic commando and the bug isn't in them (and no, doesn't seem to be an option since I have already changed any of them in UT2004 and the bug is ever there).
Other older games have not been tested since they are already affected by other vulnerabilities.


Top
 Profile  
 
 Post subject:
PostPosted: 14 Aug 2008 20:47 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
exactly as I programmed, patch 1.3 for UT3 fixes both the NULL pointer and the memory corruption vulnerability


Top
 Profile  
 
 Post subject:
PostPosted: 24 Aug 2008 19:39 

Joined: 11 Aug 2008 16:01
Posts: 7
aluigi wrote:
no, some months ago I have changed my policy about contacting vendor/developers for various reasons.
then in the past I have never had a quick response from Epic, usually were required months between my first mail and the final patch or hotfix


I don't blame you one bit. After what Boston is doing doing to those MIT students, it is not even worth contacting them anymore.


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 11 Sep 2008 21:32 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
new vulnerability in Unreal Tournament 3:

http://aluigi.org/adv/ut3sticle-adv.txt


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 12 Sep 2008 02:51 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
geez ut3 engine is glitchyyyy
how many does that add up to now?


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 14 Sep 2008 12:02 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have lost the count of all the bugs affecting this engine... it's really one of the buggest in the world

anyway this morning I have created some quick fixes in some minutes (this is the positive thing of bugs forced by the same games, through assertions and other checks) for the ut2004null, armynchia and ut3sticle vulnerabilities.
I have tested them here and everything works perfectly so if someone has a big server feel free to test these fixes deeply:

http://aluigi.org/patches.htm#unreal


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 15 Sep 2008 14:01 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
for the yesterday's post there is only to add that the fix for ut2004null/armynchia has been classified as "experimental work-around" (although I have had absolutely no problems on the AA and UT2004 test servers on Windows) while the ut3 fix is just a patch because UT3 handles perfectly the return value of the function which allocates the memory.
Fuel of War instead performs no check on the NULL pointer returned by the failed allocation (which works just like malloc) and so crashes trying to write data to the NULL location... blah

Instead the following is a strange thing I casually noticed after I released my ut2004null advisory:

http://www.xraygaming.com/forums/showthread.php?p=16974

the dates of those bans are over 10 days before my advisory which means that (if they are correct) someone else already found and exploited the same bug privately


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 16 Sep 2008 01:44 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
New vulnerability and relative fix:

http://aluigi.org/adv/unreaload-adv.txt


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 16 Sep 2008 21:47 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
geez luigi, ur finding these daily for unreal.


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 19 Sep 2008 12:45 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
note: the updated executable released by Epic for UT3 (http://www.epicgames.com/download/ut3.exe) does NOT fix the "unreaload" vulnerability released a couple of days ago


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 21 Sep 2008 01:38 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Epic has released a new executable for UT3 at the same location and with the same build of that other one (3614) which fixes also the unreaload bug... why don't they have changed the build number of this version?!?!?!?

the following is a new vulnerability, a directory traversal in the webadmin interface:

http://aluigi.org/adv/ut3webown-adv.txt

affects only UT3 1.3, read the advisory to see also the exact changes between 1.2 and 1.3 which have caused the bug


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 21 Sep 2008 02:11 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
so they made a patch, but the version # is the same.... what the -- why?
so this vulnerability u found doesn't effect the 'patched' version?


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 21 Sep 2008 10:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yes they left the version number as the same, in fact I casually redownload the executable and it has the same version of the one I already downloaded the day before except that the new one fixes the "unreaload" bug and the old one not.

The directory traversal instead works with any build number of version 1.3 so both the original 3601 and the latest 3614 hotfixes.


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 21 Sep 2008 14:13 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
so it only fixed 1 thing from ur list of bugs?


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 21 Sep 2008 14:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
it fixes both ut3sticle and unreaload.
the new bug (ut3webown) has been just released and I doubt it can be fixed with a new executable, they will need to upload probably a new uWeb.u file


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 22 Sep 2008 00:43 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
has been just released webadmin 1.7 which fixes the directory traversal in UT3


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 26 Sep 2008 14:45 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the following two posts are in italian (don't worry the links, the dates and the mails are in english) and are another proof of how ignorants and lamers exist also (and in some cases, moreover) in the admin side:

post4197.html#p4197
post4222.html#p4222

although they were aware of the problems from months (for one of the bugs they knew its effects even before my advisory) they were too lazy or just technically unable to find solutions or doing "real" information about the facts.
For them has been easier to do disinformation for hiding their incompetence.. and making me lot of laughs because seeing ignorants like some of these guys called elmuerte and wormbo who try to talk about "bug researching", "security" and moreover "standards" knowing NOTHING of this field is really incredibly funny and ridiculous for themselve

luckily not all the admins or the communities are like these "losers", for example Gioggiolo solved the problem by himself with iptables a couple of weeks before the increasing of attacks from some script-kiddies, in America's Army the unofficial fix arrived in less than 10 days http://www.hazardaaclan.com/storage/voi ... _patch.cpp and for ut2004null and ut3sticle I created a work-around and a patch the same day I have been aware of the mass exploiting of the vulnerabilities.


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 26 Sep 2008 17:22 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
OMFG !! this is seriously RIDICULOUS !
those ppl are complete idiots .. as you already said. i so hate them. they find out that you found exploit and then they call you loser, idiot, noob ..etc. (idiots, noobs ..etc cant even make such things).
To me it seems those ppl are just jelous that you can find such things and that they too dumb to fix it. so they just talk crap and WHINE and point fingers..
ofcourse worst thing is IGNORING the facts and truth...thats really sad :(

If there is anybody to blame, its lazy ass game developers and server admins who too dumb or lazy to fix those bugs.


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 26 Sep 2008 21:26 

Joined: 16 Aug 2007 06:25
Posts: 367
Sethioz wrote:
If there is anybody to blame, its lazy ass game developers and server admins who too dumb or lazy to fix those bugs.[/color]


Agreed. If anyone is to get blamed or scolded, it should be the developers for not fixing bugs in a timely manner.

Luigi is doing them a favor, because some vulnerabilities stay private, leaving server admins and players without answers as to why their client/server isn't functioning normally.


Top
 Profile  
 
 Post subject: Re: incredible, unbelievable... Unreal!
PostPosted: 26 Sep 2008 23:47 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
Quote:
because some vulnerabilities stay private, leaving server admins and players without answers as to why their client/server isn't functioning normally.


exactly ! For example i know few bugs for few games and im not going to share them, because i dont want anybody to make fix for it.

as about their blame on Luigi, where they say that he dont give heads up for them.. why should he ? Luigi used to do that, but what he got back ? Im pretty sure Luigi explained somewhere on this forum why he don't contact developers anymore.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 27 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: