exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

unrealEngine2.txt

unrealEngine2.txt
Posted Apr 22, 2004
Authored by Luigi Auriemma | Site aluigi.altervista.org

The Unreal engine developed by EpicGames has a flaw with UMOD where it handles information from files without properly filtering for dangerous characters. Using a standard directory traversal attack, an attacker is able to go outside of the game's directory to overwrite any file in the partition on which the game is installed.

tags | advisory
SHA-256 | b7c2785d4faefd54426965a43736ed37eceabddb772050c4cd01af7d52910f68

unrealEngine2.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Unreal engine
http://unreal.epicgames.com
Versions: any game based on this engine that supports the UMOD
installation.
An example are Unreal Tournament <= 451b and Unreal
Tournament 2003 <= 2225.
A full list of vulnerable games is not available.
Platforms: Windows and MacOS (on Linux the UMODs are not officially
supported)
Bug: arbitrary file overwriting
Risk: medium as diffusion but critical as damage
Exploitation: local
Date: 22 Apr 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine developed by EpicGames natively supports a file
format called UMOD used to easily install external add-ons:

"Umod: (aka Unreal MOD) Platform independent archives that allow mod
authors to ship their game content to unreal engine gamers"


#######################################################################

======
2) Bug
======


The UMOD file format is a simple archive that contains all the files to
install plus a manifest.ini file read by the UMOD installer and used to
know some informations as the author of the mod, the description, the
needed minimum game version and more.

Using the classical "..\" pattern in the filename and in its name into
the manifest.ini file an attacker is able to go outside the game's
directory and to overwrite ANY file in the partition on which the game
is installed, without alerts or messages from the installer.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/umodpoc.zip


However is also possible create a normal UMOD file using the specific
utilities commonly used to do it as UmodWizard, modifying a filename
and its name in the manifest.ini file using the "..\" pattern just as
"..\..\..\windows\notepad.exe" and then recalculating the checksum of
the package with the -C option of my UMOD extractor utility
http://aluigi.altervista.org/papers/umodext.zip.


#######################################################################

======
4) Fix
======


The bug has been signaled to EpicGames the 18 December 2003.

Unreal Tournament 2004 is the only game actually patched, in fact it
has been fixed before its pubblic release.

Unreal Tournament and Unreal Tournament 2003 are still vulnerable and
the patch is a mistery from 7 months.

I don't know if and how many other games are vulnerables.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close