####################################################################### Luigi Auriemma Application: Unreal engine 3 http://www.unrealtechnology.com Versions: the bug affects various games which use the Unreal engine 3 like Unreal Tournament 3 1.3, Frontlines: Fuel of War 1.1.1 and so on Turning Point: Fall of Liberty is NOT vulnerable note: the proof-of-concept used for testing this bug has caused also the termination of other older games like Star Wars Republic Commando, Pariah, Warpath and Shadow Ops (no additional checks have been performed on them) Platforms: Windows, Linux, Mac Bug: server termination caused by failed memory allocation Exploitation: remote, versus server Date: 11 Sep 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ####################################################################### ====== 2) Bug ====== The problem is located in the function which reads the strings from the packet where is located a 32 bit number (was an index number in the previous Unreal engine 1 and 2) which specifies the size in bytes of the subsequent string to read. This function removes the sign of the number if it's negative and then tries to allocate an amount of memory double than this value because the new buffer is used for containing the unicode version of the string. Before copying the data is performed an additional check on the sign of the value for avoiding integer overflows (for example using the value 0x80000000). If an attacker uses a 32 bit number major than how much allocable on the system (like 0x7fffffff) the engine terminates immediately showing a log message like the following: Critical: Ran out of virtual memory. To prevent this condition, you must free up more space on your primary hard disk." Turning Point: Fall of Liberty is another game which uses the Unreal engine 3 but, differently to the others tested by me, the function which allocates the memory doesn't shut down the entire game for reporting the error but simply returns a NULL value (like a classical malloc) which is correctly handled and so the game is not vulnerable. The attack can be performed versus the server using one simple UDP packet with the possibility of spoofing it. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ut3sticle.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org