[34108] in bugtraq
Re: Unreal engine updates and Battle Mages advisory
daemon@ATHENA.MIT.EDU (Todd Chapman)
Thu Mar 11 15:26:03 2004
Message-ID: <4050B46E.4000207@leoninedev.com>
Date: Thu, 11 Mar 2004 13:48:14 -0500
From: Todd Chapman <tchapman@leoninedev.com>
MIME-Version: 1.0
To: Luigi Auriemma <aluigi@altervista.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20040311142523.23d99c3a.aluigi@altervista.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Luigi,
After seeing some doubt expressed by users in the Unreal community, I
tried your INI file test this morning on multiple Unreal Tournament
products and just now on America's Army 2.0. I confirmed crashes for UT,
UT2003 demo, and AA. UT2004 demo ran fine. Results are detailed a little
more below.
One question: Do you see the remote code execution as a possibility or
did you actually accomplish executing code in your tests? I'm trying to
clarify the exact level of threat to some users and they tend to take it
more seriously when it can be presented as "verified to be exploitable
for practical use not just DoS".
Results:
Unreal Tournament v451: Crashed with a GPF. Errors noted in log as follows:
-----
ScriptLog: InitGame:
?Name=-TD-PintOStout?;Class=BotPack.TBoss?Class=%n%nBotPack.TMale2?team=1?skin=SoldierSkins.hkil?Face=SoldierSkins.Vector?Voice=BotPack.VoiceMaleTwo?OverrideClass=
ScriptLog: Base Mutator is CityIntro.Mutator1
Init: Initialized moving brush tracker for Level CityIntro.MyLevel
Log: Bound to UWeb.dll
Critical: UObject::SafeLoadError
Critical: UObject::GetPackageLinker
Critical: UObject::StaticLoadObject
Critical: (Core.Class �.TMale2 NULL)
Critical: UObject::StaticLoadClass
Critical: ULevel::SpawnPlayActor
Critical: UGameEngine::Init
Critical: InitEngine
Exit: Executing UObject::StaticShutdownAfterError
Exit: Executing UWindowsClient::ShutdownAfterError
Log: DirectDraw End Mode
Exit: Exiting.
Uninitialized: Name subsystem shut down
Uninitialized: Log file closed, 03/11/04 08:35:07
-----
Current UT2003 Demo (build 2206): Simple shutdown during lauch with no
visual error message. Left the log file at home but believe it just stopped.
UT2004 Demo: Launched without issue
America's Army 2.0: Shutdown during launch similar to UT2003 Demo. Log
file just stopped in the middle of a line:
----
ScriptLog: FontNames[3]=AAFontMedium
Fonts[3]=Transient.InteractionMaster0.AAFontMedium0
ScriptLog: FontNames[4]=AAFontMedium
Fonts[4]=Transient.InteractionMaster0.AAFontMedium0
ScriptLog: GUIStyles::Initialize() - AALargeText
ScriptLog: Fon
----
--
Todd Chapman
Systems Architect
TChapman@leoninedev.com
