Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Games :: bx3907.htm

Memory corruption and NULL pointer in Unreal Tournament III 1.2



Memory corruption and NULL pointer in Unreal Tournament III 1.2
Memory corruption and NULL pointer in Unreal Tournament III 1.2




#######################################################################

                             Luigi Auriemma

Application:  Unreal Tournament III
http://www.unrealtournament3.com 
Versions:     <= 1.2 and 1.3beta4
Platforms:    Windows (tested), Linux, PS3 and Xbox360
Bugs:         A] memory corruption
              B] NULL pointer
Exploitation: remote, versus server
Date:         30 Jul 2008
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

Unreal Tournament III is the latest game (2007) of the Unreal series
created by Epic Games (http://www.epicgames.com). 


#######################################################################

======2) Bugs
======
--------------------
A] memory corruption
--------------------

UT3 is affected by a problem in the handling of a specific type of
packet. In this particular type of packet there is a 16 bit field which
specifies the size of the data that follows and if this string is
longer than about 172 bytes a memory corruption will occur allowing an
attacker to control various registers which could allow the execution
of malicious code.


---------------
B] NULL pointer
---------------

If the amount of data about I talked previously is bigger than the
total size of the packet the string will not be read and a NULL pointer
exception will occur.
This type of bug is easily recognizable on the server because the
message "Error: Attempted to multiply free a voice packet" is
displayed before the crash when the malformed packet is received.


#######################################################################

==========3) The Code
==========

http://aluigi.org/poc/ut3mendo.zip 


#######################################################################

=====4) Fix
=====

No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 
http://backup.aluigi.org 
http://mirror.aluigi.org 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH