Epic Games Unreal Tournament Server Engine Remote Format String Vulnerability

Bugtraq ID:	9840
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 10 2004 12:00AM
Updated:	Mar 10 2004 12:00AM
Credit:	Disclosure of this issue is credited to Luigi Auriemma <[email protected]>.
Vulnerable:	Epic Games Unreal Tournament Server 436.0 Epic Games Unreal Tournament 2003 Demo Version 2206 win32 Epic Games Unreal Tournament 2003 Demo Version 2206 linux Epic Games Unreal Tournament 2003 2199 win32 Epic Games Unreal Tournament 2003 2199 linux Epic Games Unreal Engine 436 + ARUSH Devastation 390.0 + ARUSH Devastation 381.0 + ARUSH Devastation 380.0 + Atari Magic The Gathering: Battlegrounds 1.4 + Atari Magic The Gathering: Battlegrounds 1.3 + Atari Magic The Gathering: Battlegrounds 1.2 + Atari Magic The Gathering: Battlegrounds 1.1 + Atari Magic The Gathering: Battlegrounds 1.0 + Atari Nerf Arena Blast + Eidos DeusEx 1.2 + Eidos DeusEx 1.1 + Eidos DeusEx 1.0 + Human Head Studios Rune 1.0.1 + Human Head Studios Rune 1.0 + Microprose Software Star Trek: Klingon Honor Guard + Microprose Software Tactical Ops 3.4 + Microprose Software Tactical Ops 3.3 + Microprose Software Tactical Ops 3.2 + Microprose Software Tactical Ops 3.1 + Microprose Software Tactical Ops 3.0 + Rage Software Mobile Forces + Running With Scissors Postal 2 + Ubi Rainbow Six: Raven Shield 1.5 + Ubi Rainbow Six: Raven Shield 1.4 + Ubi Rainbow Six: Raven Shield 1.3 + Ubi Rainbow Six: Raven Shield 1.2 + Ubi Rainbow Six: Raven Shield 1.1 + Ubi Rainbow Six: Raven Shield 1.0 + United States Department of Defense America's Army 2.0 .0 + United States Department of Defense America's Army: SFAS 2.0 .0a + United States Department of Defense America's Army: SFAS 1.9 .0 Epic Games Unreal Engine 3 Epic Games Unreal Engine 226f
Not Vulnerable:

Epic Games Unreal Tournament Server Engine Remote Format String Vulnerability

A format string vulnerability has been reported to exists in the Unreal Tournament server engine. This issue is due to a failure of the server application to properly sanitize user supplied network data.

Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected server software, which would occur in the security context of the server process.

Epic Games Unreal Tournament Server Engine Remote Format String Vulnerability

A proof of concept has been provided. It can be obtained from the following location:

http://aluigi.altervista.org/poc/unrfs-poc.zip

Another method to test the vulnerability is the adding of %n after "Class=" in the file system/user.ini

Example:

From:
Class=Engine.Pawn

To:
Class=%n%nEngine.Pawn

If the game is vulnerable it will crash when launched.

Epic Games Unreal Tournament Server Engine Remote Format String Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

Epic Games Unreal Tournament Server Engine Remote Format String Vulnerability

References:

• Home Page (Epic Games)
  
• Unreal Tournament Homepage (Epic Games)
  
• Format string bug in EpicGames Unreal engine (Luigi Auriemma )
  
• Re: Format string bug in EpicGames Unreal engine (Sebastian "Käppler" )
  
• Unreal engine updates and Battle Mages advisory (Luigi Auriemma )