[ISN] 'Unreal' Security Risk

From: InfoSec News (isnat_private)
Date: Tue Feb 11 2003 - 22:25:56 PST

  • Next message: InfoSec News: "RE: [ISN] Taking byte from Baghdad"

    By Becky Worley
    February 10, 2003
    Entertaining computer games may no longer be so harmless -- especially 
    for your computer. 
    PivX Solutions, a computer security firm in Newport Beach, Calif., 
    recently disclosed that it has found a slew of vulnerabilities in the 
    core software code or "engine" that is used in the Unreal video game. 
    PivX says the holes could let an attacker launch a denial-of-service 
    attack, crash a gaming server, or even run code on a player's machine. 
    Luigi Auriemma, a security researcher for PivX Solutions, discovered 
    the holes. 
    "These bugs have been around for five years," he says. "They could be 
    used by malicious attackers in worms or large-scale attacks that rival 
    those of Nimda and Sapphire/Slammer... Really frightful." 
    In January, PivX released news of a vulnerability in networking 
    protocols that affected many online multiplayer games. That flaw 
    affected the connectivity functions of Unreal and Unreal Tournament 
    computer games. 
    But this latest set of vulnerabilities actually stem from the Unreal 
    Engine, the core software code that is licensed out to other 
    developers to power the action and graphics of their own games. 
    Danger on your disk 
    Some of the more popular computer games that PivX claims are affected 
    by the Unreal Engine flaw include: 
    * "Star Trek: The Next Generation: Klingon Honor Guard"
    * "Unreal"
    * "The Wheel of Time"
    * "Deus Ex"
    * "Mobile Forces"
    * "Rune"
    * "Unreal Tournament"
    * "Hired Guns"
    * "Navy Seals"
    * "TNN Outdoor Pro Hunter"
    * "Werewolf"
    * "X-Com: Alliance"
    * "Adventure Pinball"
    * "America's Army"
    * "Unreal Tournament 2003"
    Four of the games -- Hired Guns, Navy Seals, Werewolf, and X-Com:  
    Alliance haven't made it onto store shelves, but PivX says the code
    they are built on could be affected by the vulnerabilities if the
    games are ever released.
    According to its security release, PivX says that playing any of these 
    games on a Windows, Linux, or Mac OS platform makes a user vulnerable. 
    Possible exploits include the following: 
    * Local and remote denial of service.
    * Distributed denial of service (flooding remote computers with data 
      packets to freeze it).
    * Bounce attacks with spoofed UDP packets. (This is how attackers can 
      flood a server without using all of their bandwidth. It creates a 
      data transfer loop within the targeted computer.)
    * Fake players can exclude others on a game server.
    * Most importantly, PivX says, the holes could allow the execution of 
      malicious code on a targeted computer.
    PivX CEO Geoff Shively called this reporter in November to talk about
    the Unreal holes. He asked us not to disclose them until PivX had a
    response from Epic Games, which makes the Unreal engine. But PivX now
    says Epic won't give it an answer about fixing the holes.
    "Epic and its employees are playing 'cat and mouse' with us," Shively 
    says. "Software vendors have a tacit obligation to protect their 
    customers' security. Unfortunately, many of them don't take this 
    responsibility seriously." 
    Fixes on the way 
    Tim Sweeney, president and chief programmer at Epic Games, says his
    company is working on a patch for the server holes.
    "Last Wednesday, we produced an Unreal Tournament 2003 patch we've had
    in testing that solves all of the reported client-side 'malicious
    code' exploits and server exploits," says Sweeney. "We also
    immediately made this available to all of the Unreal Engine licensees
    for incorporation into their future patches and full game releases."
    Sweeney adds that the fixes for the Unreal engine itself is currently
    being tested and its release to consumers is "imminent."
    Sweeney added that the company isn't used to dealing with such
    security issues.
    "This incident is the first time Epic Games has been confronted
    head-on with a network exploit of this nature. We didn't respond
    quickly enough to PivX's initial reports and it's clear that this
    event has been a wakeup call," he says. "We're now reviewing our code
    for undiscovered exploits, and if we or the community find others,
    we'll be jumping on them too."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 00:30:50 PST