Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200407-14 ] Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4087
Location: Dresden, Germany

PostPosted: Mon Jul 19, 2004 9:03 pm    Post subject: [ GLSA 200407-14 ] Unreal Tournament 2003/2004: Buffer overf Reply with quote

Gentoo Linux Security Advisory

Title: Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries (GLSA 200407-14)
Severity: high
Exploitable: remote
Date: July 19, 2004
Bug(s): #54726
ID: 200407-14

Synopsis


Game servers based on the Unreal engine are vulnerable to remote code
execution through malformed 'secure' queries.


Background


Unreal Tournament 2003 and 2004 are popular first-person-shooter games.
They are both based on the Unreal engine, and can be used in a game server
/ client setup.


Affected Packages

Package: games-fps/ut2003
Vulnerable: <= 2225-r2
Unaffected: >= 2225-r3
Architectures: All supported architectures

Package: games-server/ut2003-ded
Vulnerable: <= 2225-r1
Unaffected: >= 2225-r2
Architectures: All supported architectures

Package: games-fps/ut2004
Vulnerable: < 3236
Unaffected: >= 3236
Architectures: All supported architectures

Package: games-fps/ut2004-demo
Vulnerable: <= 3120-r3
Unaffected: >= 3120-r4
Architectures: All supported architectures


Description


The Unreal-based game servers support a specific type of query called
'secure'. Part of the Gamespy protocol, this query is used to ask if the
game server is able to calculate an exact response using a provided string.
Luigi Auriemma found that sending a long 'secure' query triggers a buffer
overflow in the game server.


Impact


By sending a malicious UDP-based 'secure' query, an attacker could execute
arbitrary code on the game server.


Workaround


Users can avoid this vulnerability by not using Unreal Tournament to host
games as a server. All users running a server should upgrade to the latest
versions.


Resolution


All Unreal Tournament users should upgrade to the latest available
versions:
Code:
# emerge sync

    # emerge -pv ">=games-fps/ut2003-2225-r3"
    # emerge ">=games-fps/ut2003-2225-r3"

    # emerge -pv ">=games-server/ut2003-ded-2225-r2"
    # emerge ">=games-server/ut2003-ded-2225-r2"

    # emerge -pv ">=games-fps/ut2004-3236"
    # emerge ">=games-fps/ut2004-3236"

    # emerge -pv ">=games-fps/ut2004-demo-3120-r4"
    # emerge ">=games-fps/ut2004-demo-3120-r4"


References

Luigi Auriemma advisory
CAN-2004-0608


Last edited by GLSA on Sun Feb 22, 2015 4:16 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum