Archeus
25-06-04, 09:13
Got it in a mailing list I am on.
Critical hole revealed in Unreal Tournament
[PC Pro] 12:09
Gamers have been warned that the Unreal Engine, found within a
variety of games as well versions of Unreal Tournament, contains a
critical security flaw. Described as a 'Query Buffer Overflow
Vulnerability', the 'highly critical' flaw could let an attacker
execute arbitrary code on affected machines.
The vulnerability was first reported by one Luigi Auriemma, and you
can read his original advisory here. The security company Secunia has
now also issued an advisory warning on the matter.
Apparently, boundary errors have been discovered within the
processing of queries, such as verifying whether communications are
taking place with a legitimate Unreal server. The net result is that
the weakness can be exploited by sending an overly long challenge
string to a vulnerable server, causing a buffer overflow.
Note that the flaw has been addressed in Unreal Tournament 2004 (from
build 3236 and later), but the following games are among those
affected:
- DeusEx (build 1.112fm and prior)
- Devastation (build 390 and prior)
- Mobile Forces (build 20000 and prior)
- Nerf Arena Blast (build 1.2 and prior)
- Postal 2 (build 1337 and prior)
- Rune (build 107 and prior)
- Tactical Ops (build 3.4.0 and prior)
- TNN Pro Hunter
- Unreal 1 (build 226f and prior)
- Unreal II XMP (build 7710 and prior)
- Unreal Tournament (build 451b and prior)
- Unreal Tournament 2003 (build 2225 and prior)
- Unreal Tournament 2004 (prior to build 3236)
- Wheel of Time (build 333b and prior)
- X-com Enforcer
You can read the Secunia advisory on the company's website.
Critical hole revealed in Unreal Tournament
[PC Pro] 12:09
Gamers have been warned that the Unreal Engine, found within a
variety of games as well versions of Unreal Tournament, contains a
critical security flaw. Described as a 'Query Buffer Overflow
Vulnerability', the 'highly critical' flaw could let an attacker
execute arbitrary code on affected machines.
The vulnerability was first reported by one Luigi Auriemma, and you
can read his original advisory here. The security company Secunia has
now also issued an advisory warning on the matter.
Apparently, boundary errors have been discovered within the
processing of queries, such as verifying whether communications are
taking place with a legitimate Unreal server. The net result is that
the weakness can be exploited by sending an overly long challenge
string to a vulnerable server, causing a buffer overflow.
Note that the flaw has been addressed in Unreal Tournament 2004 (from
build 3236 and later), but the following games are among those
affected:
- DeusEx (build 1.112fm and prior)
- Devastation (build 390 and prior)
- Mobile Forces (build 20000 and prior)
- Nerf Arena Blast (build 1.2 and prior)
- Postal 2 (build 1337 and prior)
- Rune (build 107 and prior)
- Tactical Ops (build 3.4.0 and prior)
- TNN Pro Hunter
- Unreal 1 (build 226f and prior)
- Unreal II XMP (build 7710 and prior)
- Unreal Tournament (build 451b and prior)
- Unreal Tournament 2003 (build 2225 and prior)
- Unreal Tournament 2004 (prior to build 3236)
- Wheel of Time (build 333b and prior)
- X-com Enforcer
You can read the Secunia advisory on the company's website.