what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

unrealEngine2.txt

unrealEngine2.txt
Posted Apr 22, 2004
Authored by Luigi Auriemma | Site aluigi.altervista.org

The Unreal engine developed by EpicGames has a flaw with UMOD where it handles information from files without properly filtering for dangerous characters. Using a standard directory traversal attack, an attacker is able to go outside of the game's directory to overwrite any file in the partition on which the game is installed.

tags | advisory
SHA-256 | b7c2785d4faefd54426965a43736ed37eceabddb772050c4cd01af7d52910f68

unrealEngine2.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Unreal engine
http://unreal.epicgames.com
Versions: any game based on this engine that supports the UMOD
installation.
An example are Unreal Tournament <= 451b and Unreal
Tournament 2003 <= 2225.
A full list of vulnerable games is not available.
Platforms: Windows and MacOS (on Linux the UMODs are not officially
supported)
Bug: arbitrary file overwriting
Risk: medium as diffusion but critical as damage
Exploitation: local
Date: 22 Apr 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine developed by EpicGames natively supports a file
format called UMOD used to easily install external add-ons:

"Umod: (aka Unreal MOD) Platform independent archives that allow mod
authors to ship their game content to unreal engine gamers"


#######################################################################

======
2) Bug
======


The UMOD file format is a simple archive that contains all the files to
install plus a manifest.ini file read by the UMOD installer and used to
know some informations as the author of the mod, the description, the
needed minimum game version and more.

Using the classical "..\" pattern in the filename and in its name into
the manifest.ini file an attacker is able to go outside the game's
directory and to overwrite ANY file in the partition on which the game
is installed, without alerts or messages from the installer.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/umodpoc.zip


However is also possible create a normal UMOD file using the specific
utilities commonly used to do it as UmodWizard, modifying a filename
and its name in the manifest.ini file using the "..\" pattern just as
"..\..\..\windows\notepad.exe" and then recalculating the checksum of
the package with the -C option of my UMOD extractor utility
http://aluigi.altervista.org/papers/umodext.zip.


#######################################################################

======
4) Fix
======


The bug has been signaled to EpicGames the 18 December 2003.

Unreal Tournament 2004 is the only game actually patched, in fact it
has been fixed before its pubblic release.

Unreal Tournament and Unreal Tournament 2003 are still vulnerable and
the patch is a mistery from 7 months.

I don't know if and how many other games are vulnerables.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close