Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Memory corruption and NULL pointer in Unreal Tournamen

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Memory corruption and NULL pointer in Unreal Tournament III 1.2
Date: Wed, 30 Jul 2008 00:37:27 +0100 

#######################################################################

                             Luigi Auriemma

Application:  Unreal Tournament III
              http://www.unrealtournament3.com
Versions:     <= 1.2 and 1.3beta4
Platforms:    Windows (tested), Linux, PS3 and Xbox360
Bugs:         A] memory corruption
              B] NULL pointer
Exploitation: remote, versus server
Date:         30 Jul 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Unreal Tournament III is the latest game (2007) of the Unreal series
created by Epic Games (http://www.epicgames.com).


#######################################################################

=======
2) Bugs
=======

--------------------
A] memory corruption
--------------------

UT3 is affected by a problem in the handling of a specific type of
packet. In this particular type of packet there is a 16 bit field which
specifies the size of the data that follows and if this string is
longer than about 172 bytes a memory corruption will occur allowing an
attacker to control various registers which could allow the execution
of malicious code.


---------------
B] NULL pointer
---------------

If the amount of data about I talked previously is bigger than the
total size of the packet the string will not be read and a NULL pointer
exception will occur.
This type of bug is easily recognizable on the server because the
message "Error: Attempted to multiply free a voice packet" is
displayed before the crash when the malformed packet is received.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ut3mendo.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://backup.aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Memory corruption and NULL pointer in Unreal Tournament III 1.2, Luigi Auriemma <=
Previous by Date:  [Full-disclosure] Application Security, Tom Brennan
Next by Date:  [Full-disclosure] NULL pointer in Unreal Tournament 2004 v3369, Luigi Auriemma
Previous by Thread:  [Full-disclosure] Application Security, Tom Brennan
Next by Thread:  [Full-disclosure] NULL pointer in Unreal Tournament 2004 v3369, Luigi Auriemma
Indexes:  [Date] [Thread] [Top] [All Lists]