Home page logo
/

bugtraq logo Bugtraq mailing list archives

UT2003 client passive DoS exploit
From: Auriemma Luigi <aluigi () pivx com>
Date: Tue, 13 May 2003 20:19:18 +0000


I have written an exploit about another effect of the "Negative sign bug" I
discovered some months ago in the Unreal engine
(http://www.pivx.com/luigi/adv/ueng-adv.txt).

The vulnerable softwares are ONLY the clients of the retail UnrealTournament
2003 v2199 and the demo v2206.

The patch v2225 fixes the problem in the retail game.
NOTE that the link to the v2225 patch for Linux has not yet inserted on the
official homepage of the game http://www.unrealtournament2003.com but it
exist and you can download directly from the following URL or from any other
mirror:
http://unreal.epicgames.com/linux/ut2003/ut2003lnx_patch2225.tar.bz2

Instead for the demo v2206 you must download the fixed IpDrv file from here:
Win:   http://unreal.epicgames.com/files/UT2003Demo2206WindowsUpdate1.zip
Linux: http://unreal.epicgames.com/files/IpDrv.so.bz2


The exploit simulates an Unreal Tournament 2003 server that accepts
connections to the information port (default 10777) and when a client
connects to it, the server will send a formatted UDP packet that contains a
negative index number that consumes a customized quantity of memory on the
remote client and can crash it if this quantity cannot be allocated (for
more informations about this type of bug read my old ueng-adv.txt advisory).

The exploit can be compiled on both Windows and Unix systems:

http://www.pivx.com/luigi/poc/ut2003pdos.zip



The best solution for an attacker to maliciously use the exploit is in
coupling with a heartbeat emulator that lets your IP address to be added to
the official online game servers list of Epic
(http://ut2003master.epicgames.com/serverlist/full-all.txt).

I have written an example code that makes the work and can be easily
customized:

http://www.pivx.com/luigi/testz/ut2003ms.zip



NOTE: for using the exploit in coupling with the heartbeat emulator you need
to specify 7778 as default listening port.



BYEZ



--- 
PivX Bug Researcher
http://www.pivx.com/luigi/



  By Date           By Thread  

Current thread:
  • UT2003 client passive DoS exploit Auriemma Luigi (May 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault