Unreal Game Engine secure query command execution

unreal-secure-query-command-execute (16451) The risk level is classified as HighHigh Risk

Description:

Multiple Epic Games could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Unreal Game Engine. A remote attacker could send a specially-crafted UDP secure query packet to the server to cause memory corruption and the execution of arbitrary code on the system.


Consequences:

Gain Access

Remedy:

For UnrealTournament 2004:
Upgrade to the latest version of UnrealTournament 2004 (3236 or later), available from the UnrealTournament 2004 Downloads Web page. See References.

For UnrealTournament 436 and v451b:
Download the patch, as listed in Full-Disclosure Mailing List, Wed Jun 23 2004 - 13:09:25 CDT. See References.

For Gentoo Linux:
Upgrade to the latest version of UnrealTournament 2004, as listed in GLSA 200407-14. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • Full-Disclosure Mailing List, Fri Jun 18 2004 - 15:05:32 CDT: Code execution in the Unreal Engine through \secure\ packet.
  • Full-Dislcosure Mailing List, Wed Jun 23 2004 - 13:09:25 CDT: Solution for bugtraq id 10570 (Epic Games Unreal Engine Memory Corruption Vulnerability).
  • Unreal Tournament 2004 Downloads Web site: Unreal Tournament 2004.
  • BID-10570: Epic Games Unreal Engine Memory Corruption Vulnerability
  • CVE-2004-0608: The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.
  • GLSA-200407-14: Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries

Platforms Affected:

  • Apple Mac OS Server
  • ARUSH Games Devastation 390 and prior
  • ASC Games TNN Pro Hunter
  • Epic Games Unreal 226f and prior
  • Epic Games Unreal II XMP 7710 and prior
  • Epic Games Unreal Tournament 451b and prior
  • Epic Games Unreal Tournament 2003 2225 and prior
  • Epic Games Unreal Tournament 2004 prior to 3236
  • Gentoo Linux
  • Go POSTAL Postal 2 1337 and prior
  • Hasbro Interactive Nerf Arena Blast 1.2 and prior
  • Humanhead Studios Rune 107 and prior
  • Infogames Wheel of Time 333b and prior
  • Infogames X-COM Enforcer
  • Ion Storm DeusEx 1.112fm and prior
  • Microprose.com Tactical Ops 3.4.0 and prior
  • Rage Software Mobile Forces 20000 and prior

Reported:

Jun 18, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page