Memory corruption and NULL pointer in Unreal Tournament III
Our old pal Luigi is keeping busy... second UT hack published in as many days... I haven't looked at the source of his exploit but his stuff always works as advertised.
#########################################
Luigi Auriemma
Application: Unreal Tournament III http://www.unrealtournament3.com
Versions: <= 1.2 and 1.3beta4
Platforms: Windows (tested), Linux, PS3 and Xbox360
Bugs: A] memory corruption
B] NULL pointer
Exploitation: remote, versus server
Date: 30 Jul 2008
Author: Luigi Auriemma
e-mail:
web: aluigi.org
#########################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#########################################
===============
1) Introduction
===============
Unreal Tournament III is the latest game (2007) of the Unreal series
created by Epic Games (http://www.epicgames.com).
UT3 is affected by a problem in the handling of a specific type of
packet. In this particular type of packet there is a 16 bit field which
specifies the size of the data that follows and if this string is
longer than about 172 bytes a memory corruption will occur allowing an
attacker to control various registers which could allow the execution
of malicious code.
---------------
B] NULL pointer
---------------
If the amount of data about I talked previously is bigger than the
total size of the packet the string will not be read and a NULL pointer
exception will occur.
This type of bug is easily recognizable on the server because the
message "Error: Attempted to multiply free a voice packet" is
displayed before the crash when the malformed packet is received.
Memory corruption and NULL pointer in Unreal Tournament III
![dirrty[starbuck]'s Avatar](images/avatars.unreal/unreal0002.gif)
Linear Mode
