I have written an exploit about another effect of the "Negative sign bug" I discovered some months ago in the Unreal engine (http://www.pivx.com/luigi/adv/ueng-adv.txt). The vulnerable softwares are ONLY the clients of the retail UnrealTournament 2003 v2199 and the demo v2206. The patch v2225 fixes the problem in the retail game. NOTE that the link to the v2225 patch for Linux has not yet inserted on the official homepage of the game http://www.unrealtournament2003.com but it exist and you can download directly from the following URL or from any other mirror: http://unreal.epicgames.com/linux/ut2003/ut2003lnx_patch2225.tar.bz2 Instead for the demo v2206 you must download the fixed IpDrv file from here: Win: http://unreal.epicgames.com/files/UT2003Demo2206WindowsUpdate1.zip Linux: http://unreal.epicgames.com/files/IpDrv.so.bz2 The exploit simulates an Unreal Tournament 2003 server that accepts connections to the information port (default 10777) and when a client connects to it, the server will send a formatted UDP packet that contains a negative index number that consumes a customized quantity of memory on the remote client and can crash it if this quantity cannot be allocated (for more informations about this type of bug read my old ueng-adv.txt advisory). The exploit can be compiled on both Windows and Unix systems: http://www.pivx.com/luigi/poc/ut2003pdos.zip The best solution for an attacker to maliciously use the exploit is in coupling with a heartbeat emulator that lets your IP address to be added to the official online game servers list of Epic (http://ut2003master.epicgames.com/serverlist/full-all.txt). I have written an example code that makes the work and can be easily customized: http://www.pivx.com/luigi/testz/ut2003ms.zip NOTE: for using the exploit in coupling with the heartbeat emulator you need to specify 7778 as default listening port. BYEZ --- PivX Bug Researcher http://www.pivx.com/luigi/
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 13:45:52 PDT