Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200407-14 ] Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Mon Jul 19, 2004 9:03 pm    Post subject: [ GLSA 200407-14 ] Unreal Tournament 2003/2004: Buffer overf Reply with quote

Gentoo Linux Security Advisory

Title: Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries (GLSA 200407-14)
Severity: high
Exploitable: remote
Date: July 19, 2004
Bug(s): #54726
ID: 200407-14

Synopsis

Game servers based on the Unreal engine are vulnerable to remote code execution through malformed 'secure' queries.

Background

Unreal Tournament 2003 and 2004 are popular first-person-shooter games. They are both based on the Unreal engine, and can be used in a game server / client setup.

Affected Packages

Package: games-fps/ut2003
Vulnerable: <= 2225-r2
Unaffected: >= 2225-r3
Architectures: All supported architectures

Package: games-server/ut2003-ded
Vulnerable: <= 2225-r1
Unaffected: >= 2225-r2
Architectures: All supported architectures

Package: games-fps/ut2004
Vulnerable: < 3236
Unaffected: >= 3236
Architectures: All supported architectures

Package: games-fps/ut2004-demo
Vulnerable: <= 3120-r3
Unaffected: >= 3120-r4
Architectures: All supported architectures


Description

The Unreal-based game servers support a specific type of query called 'secure'. Part of the Gamespy protocol, this query is used to ask if the game server is able to calculate an exact response using a provided string. Luigi Auriemma found that sending a long 'secure' query triggers a buffer overflow in the game server.

Impact

By sending a malicious UDP-based 'secure' query, an attacker could execute arbitrary code on the game server.

Workaround

Users can avoid this vulnerability by not using Unreal Tournament to host games as a server. All users running a server should upgrade to the latest versions.

Resolution

All Unreal Tournament users should upgrade to the latest available versions:
Code:
# emerge sync
# emerge -pv ">=games-fps/ut2003-2225-r3"
# emerge ">=games-fps/ut2003-2225-r3"
# emerge -pv ">=games-server/ut2003-ded-2225-r2"
# emerge ">=games-server/ut2003-ded-2225-r2"
# emerge -pv ">=games-fps/ut2004-3236"
# emerge ">=games-fps/ut2004-3236"
# emerge -pv ">=games-fps/ut2004-demo-3120-r4"
# emerge ">=games-fps/ut2004-demo-3120-r4"


References

Luigi Auriemma advisory
CAN-2004-0608


Last edited by GLSA on Sun May 07, 2006 4:51 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum