PDA

View Full Version : Luigi does it again - UT2004 Remote DoS

MrHinkyDink
30th July, 2008, 02:34 AM
With link to PoC...


############################################

Luigi Auriemma

Application: Unreal Tournament 2004
http://www.unrealtournament2003.com/ut2004/index.html
Versions: <= v3369
Platforms: Windows and Linux
Bug: NULL pointer
Exploitation: remote, versus server
Date: 30 Jul 2008
Author: Luigi Auriemma
e-mail: aluigi@<hidden>
web: aluigi.org


############################################


1) Introduction
2) Bug
3) The Code
4) Fix


############################################

===============
1) Introduction
===============


Unreal Tournament 2004 is a well known FPS game developed by Epic Games
(http://www.epicgames.com) and released at the beginning of the 2004.


############################################

======
2) Bug
======


Through a specific sequence of packets an attacker is able to crash the
UT2004 server due to a NULL pointer exception.


############################################

===========
3) The Code
===========


http://aluigi.org/poc/ut2004null.zip


############################################

======
4) Fix
======


No fix


############################################


---
Luigi Auriemma
http://aluigi.org
http://backup.aluigi.org
http://mirror.aluigi.org
AnthraX
30th July, 2008, 03:20 AM
Is v3369 the latest version of UT2004?
AnthraX
30th July, 2008, 04:05 AM
I took a quick look at the code and my first impression is that there's very little I (and most people on this forum) can do about this. The "malformed packets" are sent directly to the main gameport and as far as I can remember it is impossible to filter this traffic using unrealscript code. The only fix, that doesn't involve epic, I can think of right now would be some sort of external packet filter. I do not have any experience in this area though.
PizzaMan
1st August, 2008, 09:30 PM
Lets all thank him for telling people how to do this.
~V~
1st August, 2008, 10:04 PM
Be a good idea to moderate out those links from first post wouldn't it? He also has same exploit for other games on his site.
Azura
2nd August, 2008, 03:07 AM
This can probably be handled by a linux script in the same way the last dos exploit was. If you're lucky enough to have access to a dedicated server that is. I wonder how game server hosts will handle the problem.