SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Game)  >  Unreal Game Engine Vendors:  Epic Games
Unreal Game Engine UMOD '..\' Input Validation Flaw Lets Remote Users Overwrite Files on the Target System
SecurityTracker Alert ID:  1009923
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 26 2004
Original Entry Date:  Apr 23 2004
Impact:  Modification of system information, Modification of user information
Exploit Included:  Yes   Vendor Confirmed:  Yes  
Description:  Luigi Auriemma reported a vulnerability in the Unreal game engine. A remote user can overwrite files on the target system.

It is reported that a remote user can create a specially crafted filename containing the '..\' directory traversal characters as part of an Unreal MOD (UMOD) archive file to cause the target system to overwrite arbitrary files on the target system when installing the archive.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/umodpoc.zip

The vendor was reportedly notified on December 18, 2003.
Impact:  A remote user can create an update file that, when installed, will overwrite files on the target user's system with the privileges of the target user.
Solution:  The report indicates that the Unreal Tournament 2004 game (using the Unreal engine) was fixed prior to release, but that Unreal Tournament and Unreal Tournament 2003 are still vulnerable. An unknown number of other games that use the Unreal engine may be affected.
Vendor URL:  unreal.epicgames.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  MacOS, UNIX (OS X), Windows (Any)
Underlying OS Comments:  The affected UMOD function is not officially supported on Linux platforms
Reported By:  Luigi Auriemma <aluigi@altervista.org>
Message History:   None.

 Source Message Contents
Date:  Thu, 22 Apr 2004 18:02:20 +0000
From:  Luigi Auriemma <aluigi@altervista.org>
Subject:  Arbitrary file overwriting in Unreal engine through UMOD

 


#######################################################################

                              Luigi Auriemma

Application:  Unreal engine
               http://unreal.epicgames.com
Versions:     any game based on this engine that supports the UMOD
               installation.
               An example are Unreal Tournament <= 451b and Unreal
               Tournament 2003 <= 2225.
               A full list of vulnerable games is not available.
Platforms:    Windows and MacOS (on Linux the UMODs are not officially
               supported)
Bug:          arbitrary file overwriting
Risk:         medium as diffusion but critical as damage
Exploitation: local
Date:         22 Apr 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine developed by EpicGames natively supports a file
format called UMOD used to easily install external add-ons:

"Umod: (aka Unreal MOD) Platform independent archives that allow mod
        authors to ship their game content to unreal engine gamers"


#######################################################################

======
2) Bug
======


The UMOD file format is a simple archive that contains all the files to
install plus a manifest.ini file read by the UMOD installer and used to
know some informations as the author of the mod, the description, the
needed minimum game version and more.

Using the classical "..\" pattern in the filename and in its name into
the manifest.ini file an attacker is able to go outside the game's
directory and to overwrite ANY file in the partition on which the game
is installed, without alerts or messages from the installer.


#######################################################################

===========
3) The Code
===========


   http://aluigi.altervista.org/poc/umodpoc.zip


However is also possible create a normal UMOD file using the specific
utilities commonly used to do it as UmodWizard, modifying a filename
and its name in the manifest.ini file using the "..\" pattern just as
"..\..\..\windows\notepad.exe" and then recalculating the checksum of
the package with the -C option of my UMOD extractor utility
http://aluigi.altervista.org/papers/umodext.zip.


#######################################################################

======
4) Fix
======


The bug has been signaled to EpicGames the 18 December 2003.

Unreal Tournament 2004 is the only game actually patched, in fact it
has been fixed before its pubblic release.

Unreal Tournament and Unreal Tournament 2003 are still vulnerable and
the patch is a mistery from 7 months.

I don't know if and how many other games are vulnerables.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC