Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
My mother always told me never to disturb a hornet's nest. Those critters will come after you with all their fury. It seems that's what I did with my last column, " Free Software. Is it Worth the Cost? " (MIND, May 1999). I'm going to use this column to respond to the large amount of email received at the MIND offices in the last week.
First, I should say what these two columns are not. I'm not here to criticize Linux. I'm sure it's a fine operating system; its market share is substantial. Folks who use it seem satisfied. While I might have a few bones to pick with Linux as it stands today, I'm not interested in getting into a shouting match over Linux.
I'm also not interested in defending Microsoft. I don't wish to be drawn into an argument about the size, marketing practices, or quality of Microsoft code. That's not what this column is about. Frankly, a company as fast on its feet as Microsoft can change and thrive in almost any environment. I don't worry about its future.
This column is about the question: should intellectual propertyâ"more specifically, softwareâ"be "free"?
Many respondents thought I was confused on the concept of free as it applied to software. They quoted the "think free speech, not free beer" statement from the Free Software Foundation Web site, http://www.fsf.org/philosophy/free-sw.html. I think I was on the money. For the definition of free, let's use the four freedoms listed on the FSF site, specifically on the URL listed above. The third of these freedoms is "The freedom to redistribute copies so you can help your neighbor." Well folks, if you can freely distribute copies of a program you didn't produce, it's pretty much free in the beer sense as well as the speech sense. It's the freedom to distribute that brings this back to a discussion about economics as well as freedom.
Reading the GNU manifesto (http://www.fsf.org/gnu/manifesto.html) is enlightening and I recommend anyone discussing this topic to do so. However, in its pure form, the GNU concept does envision a world where general-purpose software is freely availableâ"a world where the programmers are hired for support of this public software. Boy, that's what I live for, maintaining someone else's code.
I like a world where a programmer can sit in a spare bedroom hacking away late at night. When the product is ready, the budding young entrepreneur can sell the product. All the toils of late-night development may then be rewarded with, among other things, a nice pile of cash. This flies in the face of the GNU concept where the product can be distributed by anyone to anyone. Per copy licenses allow a one-to-many multiplier when it comes to the value a programmer generates. Without it, a programmer is left selling his or her skills as a journeyman hacker to the large companies that use the freely distributed software.
If GNU software becomes the norm, of course programmers won't starve. To quote the manifesto, "The real reason programmers will not starve is that it will still be possible for them to get paid for programming; just not paid as much as now." That's a bright future for a high school counselor to put in front of a kid. Sure, some folks will program for the love of it, myself included. It's not a bad thing, though, to be paid and paid well for a program well written. A few companies are paying programmers to write either "free" software or open source software, but large companies like Apple and Netscape have license agreements that violate the spirit and even the word of the GNU General Public License.
This leads me to my last point. Many of the respondents jumped all over the fact that I stated "It's hard to compete if your competition is free" without mentioning Microsoft Internet Explorer. I have less than a thousand words to make a point in this column, so some things have to be understood, not stated explicitly. Of course Internet Explorer is free. However, the developers who wrote Internet Explorer were paid for their efforts.
Finally, last month's column has been used by many as an example of FUD by a Microsoft employee. I'm not, nor have I ever been, an employee of Microsoft. My column is written on my own, thousands of miles from the MIND offices. Now, clearly this column is published in a magazine produced by Microsoft employees, so I am not going to maintain that I am free to say just anything, but any censorship is self-imposed, not the result of pressure from Microsoft. The recently appended disclaimer at the foot of the column is the direct result of my editors wanting to disassociate themselves from my opinions while at the same time allowing me the space to state them.
These two columns have been about discussing the concept of intellectual property and whether it should be "free" or owned. Intelligent people can take either side of the argument. I'm not bashing the other side, I'm disagreeing with it. Folks on the "free" side ought to consider that there is another side to the issue and debate it intellectually, not emotionally. In any case, it's time to move on. I welcome opportunities to debate the topic in other arenas.
The opinions expressed herein are those of Douglas Boling and should not be construed as the opinions of Microsoft Corporation.
Troll 66 of 208 from the annals of the Troll Library .
So, how long until we see the "Monster Kill" virus begin to make the rounds?
WE ARE THE BORG
Lower your firewalls and surrender your computers. We will add your MP3s and bootleg movies to our own. Your lack of culture will adapt to survice us.
Slashdot will be assimilated!
Resistance is futile!
Resistance is futile!
Resistance is futile!
Resistance is futil3!
Resistance is futil3!
Resistance is futil3!
R3sistance is futile!
R3sistance is futile!
R3sistance is futile!
RESISTANCE IS FUTILE.
RESISTANCE IS FUTILE.
RESISTANCE IS FUTILE.
Repeal the DMCA!
More at bluesnews.
and here i thought ut2k3 was just really good at killing time. does this mean we can all go up on terrorism charges now since we've used a device capable of bringing down network systems? =)
What If It Does Get Hit By A Worm Like Slammer? I'd have UT2003 withdrawls like a crackhead in rehab. Hurry up and patch it! But seriously, a hole thats been open for 5 years and just now been discovered and working on patching? C'mon Epic your not microsoft.
The flaw in a netshell is that if you have autodownload turned on, you don't know what you might get.
Well no shit.
So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?
It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.
Slammer_Worm is on a killing spree!
Slammer_Worm is on rampage!
Slammer_Worm is dominating!
Slammer_Worm is unstoppable!
Slammer_Worm is Godlike!!!
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Lots of software has security holes. Games are no different... the difference with games is that they are not targets. It's interesting that this one was spotted, but it's no real surprise.
The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...
Of course, it'd still suck to get fucked over by this security flaw (just like all the others).
Down with Saudi Arabia!!!
A.C.K.W PoStErS
- adv_pr.htm l
x t
a ction=v iewthread&threadid=39954
/ 0,24195, 3417248,00.html
- adv_pr.htm l
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.
The press release:
http://www.pivx.com/press_releases/ueng
The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.t
Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.
We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.
On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?
On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:
"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story
I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.
In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.
I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng
I mean that. I simply can't believe it.
When you play CS, you're supporting terrorists!
"threatened PivX with "getting our lawyers involved with this""
No, let's not let the lawyers get involved. THey make enough per hour as it is - we don't need to pay anyone $250/hr to play Unreal Tournament for "case notes."
Wait.. then again, lawyers in Unreal Tournament games. Hrm. It could be an all-out fragfest on a level that nobody could have ever imagined before. I like that idea!
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now."
:)
I get the feeling that I'll be in my cold, cold grave before Microsoft starts releasing statements like this
But seriously, it's nice to see a large company admitting it has "F***ed up".
Did PivX bother to notify any of the licensees that their games were exploitable?
--sex
Very popular slashdot journal for adul
Think about it. There are literally thousands of internet based applications in use every day, and they range from the obscure to the common on a wide variety of operating systems.
Just because your favorite (or even least favorite) app hasn't had a major hole found in it that doesn't mean it isn't there. You might be running a time-bomb on even the most secure of your systems and not even be aware.
Of course this is all obvious to anybody who has been online for a while.
It's been a question for years whether bug finders should go public with bug finds or contact the company directly as to the flaws and the extent of their risk. I think the Open Source community agrees that places like bugtraq and open forums are the best way to discuss holes and security risks. Although Mark Rein was a little over-reactive and zealous M$ and other companies should make more effort to help their users find bug reporting easy -- in an open environment. This would really speed up the patching process (the priority at least) as well as the overall quality of knowledge available to the users affected and the company whose product is at fault.
I think this adds some teeth to the popular notion that gamers, or at least the majority of them are, terrorists. Plain and simple. They are a threat to the security of the principles we hold dear in the United States of America, and the Right Honourable Prime Minister George Williamson Bush, Junior should consider binding legislation against anyone suspected of being in a gamer-terrorist cell.
A.C.K.W PoStErS
Thor,
I have sent your company an apology for those completely unfortunate
comments that I sincerely regret. We did provide an official statement
and I was not, at the time, aware that my verbal reaction, in a moment of
shock and surprise, was being captured for the article.
The comment was a complete over-reaction to seeing the list of games
including future games that have not yet been published. It had nothing
to do with the security issues themselves, the validity of the report, or
the way Pivx presented it to us. Pivx gave us more than fair enough
warning of the bugs and we simply failed to fix them in the allotted
time. We released a statement last week to the Unreal community
indicating that "we fucked up" in not addressing these concerns within
the given time and that we were already testing a patch with the security
issues corrected. In addition the official statement we gave pointed out
that we were fixing the holes and that the Pivx report was fair and
accurate. Licensees were already provided with the source code for the
security fixes.
Again this was a moment-of-stupidity reaction and I sincerely apologize
to Pivx and the entire security community. Epic has already stated that
we will take these matters far more seriously in the future.
Mark Rein,
Epic Games Inc.
Visit us at http://www.epicgames.com
Good. On. Mark. Rein.
He admitted that they screwed up. (or fucked up, as the case may be.) He lost it when pivx when public. Then he apologised for losing it, and admitted that pivx was entirely in the right.
This is about as much news as the bug itself. Not much.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
And you get modded as insightful... oh well.
that's why I've lost so many matches! Somebody is executing malicious code that screws up my aim and makes me play like crap.
Carmack? I hope you know about this .. please dont have security issues in Doom 3. That would really suck.
I hate liberals. If you are a liberal, do not reply.
Servers out there. Simply create UDP packets and sent them to 10000 servers and they will all respond to the place you want to DoS. Games are no safer than any other piece of Internet connected piece of software.
This should definately get more attention now and in the future. The innocence of the internet is long dead (long live the king [of porn]).
Just like I've always said!! Windows is incredibly insecu.. ehh...
Um...oh. never mind.
teeker
Bill Gates called a news conference at Microsoft HQ in Redmond Washington.
Gates had slated a news conference regarding Microsoft's long-awaited "Return of Clippy" office suite. Gates was reportedly wearing sunglasses and a t-shirt that had printed, on the front, "fuck you, I have enough friends". He was holding what appeared to be a forty-ounce bottle of Miller Genuine Draft. Pouring a small amount of his beverage on the ground, Gates quipped "fuck this, nigga gotta get laid," before laying a patch in his plum-purple '69 Impala.
Showing robust shareholder interest, Microsoft's stock rose ten points.
~D:
Now they should make a movie, where some kid installs this on his dad's computer at work, and his dad just HAPPENS to be the scientist involved in working the computers that controls nuclear weapons, and they have to play unreal, and if they loose: the world will be destroyed, so they put the kid in some virtual reality suit so he can get inside the game and play for real and save the day. oh come on! its as good a plot as any other videogame based movie, think of that and really tell me honestly that wouldn't be the plot of any unreal movie that came out....
-You're wasting your time. Alfador only likes me.
if he doesn't want to use the word 'fuck', why does he use it? oh, i guess it's for the children's sake, because they can't figure out what the missing word is.
Being a fairly regular UT2003 player I can honestly say there are not nearly as many servers out there as open MS SQL boxes. There are maybe a 1000 or so boxes at any one time running servers and the traffic is generally low.
I think a worm targetting corporate computing environments that causes real economic damage is a LOT more important than a worm targetting "game servers". "Like Slammer". No, this is nothing like slammer.
"I think that those responsible deserve at least a little credit for being so forward with not only the nature of the problem but their failure to attend to this earlier. "
read that last part bub..
"but their failure to attend to this earlier. "
He knows that they behaved horribly, but he likes that they admited to it and are rectifying the situation.
Did you read Epics apology?
That's quite a number of games that are affected. Epic probably can't issue patches for games that it doesn't own, so its up to the engine licensees to do this.
I'm curious if PivX notified those developers before it issued its advisory. Some of the developers might have addressed this on their own if they were aware. Or is PivX trying to gain a bit of exposure by jumping the gun?
Switching to Quake III.
:-(
Just when me and my friends were putting the finishing touches of our college residence Unrealy Tourny level
Patch it! Patch it quick, I have to snipe! A day without "M-mmmonster KILL" ringing in my ears, is a day not worth waking up for.
Saskboy's blog is good. 9 out of 10 dentists agree.
... especially when the first demo gets put out. And then the first few point releases/patches/whatever. And lets not forget what that new 400mb mod can do to a poor ftp server when it suddenly becomes the Hot New Thing in gaming.
If thats not an invitation for the goatse.cx guy then I dont know what is...
When you play CS, you're supporting terrorists!
And everybody knows smoking pot is as American as apple pie?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
GG
NEW MAP!!!!!!!!!!!!!!!!!!1111
GG EVARYBODY
ZEROSTUD IS A CHEATER
YEAH, I
OMFG UR TEH LAMER
SHUTUP, U CAMPING FAG
[FGP]-Killaz-X -0- LAG!
NO LAG U SUX
NO FUCK YOU
I GET 20 PING
U GUYS HERE ABOUT TEH SECURITY THING??!
GG
NEW MAP
LATZ, IM GONNA PLAY CS
FUCK YOU
KILLING SPREE
UR CHEATING
KICK HIM
STFU U LAMR, YUO SUK
VOTE ON NEW MAP
..when the only weapons you have are a pair of Enforcers.
Those damn guns are just too fantastic not to use. High rate of fire (when you have two), good accuracy, no splash damage to yourself in a fire fight, pretty dangerous if you can keep your cross hairs on your opponent's head.
Lobbing the Gravity Vortex or flying a Redeemer missile into a large bunch of players to get the M-Kill seems like cheating!
What's really amazing about this flaw is that GameSpy and it's ilk unwittingly offer thousands of IP addresses from which possible DOS attacks may originate. Part of running an Unreal server involves sending "heartbeats" to the master servers of your choice advertising your IP so that other players may easily connect.
No port scanning any IP ranges to determine what services available is needed.
That's like Microsoft providing a web page showing which IIS servers are still affected by code red and showing their IP's.
Praying for the end of your wide-awake nightmare.
hehe think that you are on to something. ;) ) and peopel dint ask questions like how do set the computer back to the ip i use at home. and yeah peopel dint whine as much sure i have heard q3 and ut olayers whine ah bit but with cs its often more whining than gameing. and fore gods sake cs must have the worst 3d graphics. if u dont count really old games like doom and wolfenstien 3d but then those old games are still better than cs
cs must be daminging pepols brains. on the lanpartys before cs peopel dint steal the gateways ip by mistake(if did happen it was on purpos
Guns, rocket launchers, women: good
Worms, security holes, f'ing smiley face proxy mines, Microsoft: bad
mmmkay?
What has happened to Epic? They have gone from being the creators of some of my favourite games, to releasing two disappointing games in six months, doctoring pre-release photos to make them look spiffy, not releasing demos, making slurs against female gamers (again with Mark Rein) taking playable female avatars out of their games and replacing them with BMX XXX style eye candy for the guys who think that kind of thing makes up for lame gameplay. No demo for Unreal 2, short, mediocre single player Unreal 2 and UT 2003, average maps, no online play for Unreal 2, buggy releases, taking all the stuff out of UT that made it fun, telling their fans who can't play UT 2003 because of their idiotic disc security to go find an "exe" replacement, and linking to a page from their forums that also has for download (ta da!) a key generator for UT 2003. ALSO - focusing on making console stuff and giving PC users second rate, dumbed down, and simplified ports of XBox games...
I hope they get their act together, because at their best, they are inspired with a lot of talented people on board. But what is going on?? Perhaps they need to reassess and re-build and somehow find that pure love of making a well crafted game instead of a graphics demo for their engine. I hope they succeed.
With all these knuckleheads with too much time on their hands, trying to find as many holes, exploits and bugs in commercial and os software... It's about time they finally started popping up in games and entertainment as well. I find it rather funny that this hasn't happened more often, but I suppose that if you were to break it down, people who are hardcore gamers are probably a fair bit more knowledgable about exploits and the like than your average sysadmin.
:)
(I'm serious! And you know it's true... even if you deny it!)
IT'S A TRAP!
[/Admiral Akbar]
It can't be real ;-)
that carmack left in there with an ip specified specifically from id software would allow complete control? Basically, the server watched for a packet from a specific server and would do anything it wanted.
Well after 2 years of unemployment, toqer is getting into the game house business. That's right, 40 computers T1, the works. I know that my users will be 10 times smarter than the average corporate user and 1/2 the age!
(dum bum bum)
Joking aside, from personal experience I say we're all doomed to open mouth insert foot once in a while, and Marc Rein is no exception. Before you disagree with me or mod me down, let me remind you all of what a *ASSET* epic has been to the gaming community.
Unreal is cross platform, no waiting, it was there pretty much day 1. You can play UT2003 on win or lin.
In regards to my future business, epic has THE BEST licensing compared to EA, Valve, Activision and blizzard, their license is basically "You buy it retail, go ahead and load it on your rental computer" The afformentioned companies want indefinite license fee's and Epic doesn't.
Despite home PC gaming being the best, I know the gamehouse community will grow because not everyone can afford 50 P4 3ghz with hyperthreading. As long as the gamehouses keep their technology ahead the the "home curve" they will become a dominating force for showcasing games, a marketing tool if you will. Epic understands this and wants to see this happen.
Epic has been good to the gaming community, and since Marc was grown up enough to apoligize, we should be grown up enough to forgive him.
Sorry I can't stop talking about the gamehouse thing....Since I know some dev's (Even Carmack at ID) read slash, hopefully if I get modded up enough they'll read this.
To: EA, Valve, Activision and blizzard
Your indefinite contracts suck. Gamehouses are Synonymous with arcades with one vital difference... You do not provide the actual hardware. The owner of the facility provides hardware at a HUGE cost. Try pricing a gamehouse built on Dells sometime and see, the monthly cost of lease / and or buy is crazy. Don't be cheap about it either, price all top of the line and see what you come up with.
The thing you guys don't see is that gamehouse could be the new retail outlet for your games. Licensing shmicening, send me a box of your product to sell on consignment, and I GUARANTEE I would sell out those boxes faster than any single fry's or compusa store. Just find 1 gamehouse to TRY it with as an experiment, see if you sell more.
Kudos, however, to Epic for later retracting it.
Not so much a sig as a lack of one.
If there's as many Unreal Servers as MS SQL servers and as many firewalls forwarding the ports, then something's just not right with the internet world...
Then again, many things are not right with the internet world [shrugs]
The past 15 years of life all in one.
It's called context. When Epic found out, they assigned a programmer to it. That guy screwed up. However, Epic isn't afraid of critiquing their own performance. Ever since the security error was widely publicized (about a week ago), Epic has been nothing less than forthcoming about the magnitude of the error.
It's a very understandable situation, one that's happened before even to good companies. They didn't try to cover it up, or call it a feature. They've just been working their pants off trying to get out a patch that fixes the problem w/o causing even more havoc.
I like it better when you surpass "M-M-Monster Kill" and the announcer says , "Holy Shit!"
its only a game so how long does it take to fix bug like this, for a game? It shouldn't take that long its not an operating system. Well I guess we can say that Microsoft isn't the only company with bugs left unfixed.
Frankly, if you're someone who routinely writes "ppl" in place of "people" you're already demonstrating such severe degeneration of health/brain that you may already be a lost cause.
Sooo...what I wanted to say is that I hope that someone f**k the game-servers up so badly that these trapped gamerz can see what life has to offer!
Might I suggest you take some of the same advice you give to these "gamerz" and check out what life has to offer. It appears to be passing you by.
"They do not preach that their god will rouse them, a little before the Nuts work loose." Kipling, 'The Sons of Martha'
It is likely that this whole f#ck up was caused by clueless middle people at Epic. Those that have no frigging clue about what security people do in situations like this. I am pretty sure they also could not be bothered to research the consequences of their silence.
Hopefully this story gets more publicity so that even the least informed ones get a clue that ignoring vulnerabilities is a BAD thing to do!!!
Did you RTFA (READ THE FUCKEN APOLOGY)?
I came across it when it came in my inbox from Bugtraq. Just try to imagine Steve Ballmer, in a very public forum literally saying "we fucked up". I thought it was one of the most amazing acts of humility I've ever seen from someone who is probably worth millions. Also, the TechTV article linked from the PivX letter citing "public legal threats"... ummm... doesn't contain any legal threats. I'm assuming that he made them on the air on TechTV.
Also, as Rein explained in his apology, his initial reaction was to the fact that PivX was implying that 4 games which were not even released yet were insecure; which is a conjecture on PivX's part, and which could potentially damage the sales of those games even if the holes were fixed. His initial reaction was that this was libel, and he was correct.
This conjecture was not properly disclosed in the original disclosure, which means if the developers for these games were to show that their code was in fact patched against these vulnerabilities, it is in fact libel.
And you get modded up to +5.... oh well.
Now I guess when someone says they '0wnz j00' they might really mean it. ;)
-- There was no way I was geting sniped in my fly hiding spot on the side of the Red Tower. I mean what Blue guy would even be looking there? Had to be a bug of some kind! --
This
Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created.
I wouldn't mind seeing which bank used unreal servers in their ATMs :)
Report the REAL security holes, dagnabbitall!
"But the cars are all flashing me, bright lights are passing me, I feel life passing me by" - Stiff Little Fingers
Well, if the security hole is unreal, then why are we worrying about it? The definition of unreal is non-existent... Oh, wait, you're talking about the GAME unreal! My mistake :-)
now they're posting FAKE security holes... Unreal Security Hole
~Jon
This space for rent, inquire within.
why isn't this modded down to -1?
there is no such thing as a stupid question... just stupid people who ask questions.
This not very different from the Gamespy vulnerability posted here about a month ago. This vulnerability also lets the attacker crash the server instead of just using it for a DDOS attack. What do you guys think it's more likely, that a script kiddie will use a l337 h4ck to try to DDOS yahoo, or taht he'll just try to take down every unreal server on the internet?
I just wonder if this was caused by a drunken programmer that decided that avioding a handshake would optimize the network code, or by just a network programmer that didn't even know what a handshake is. If this happened in my company I'd wish it was the former, not the latter.
how about you login and let him rip you a new asshole. what the fuck does the apology have to do with the point he was making in his post?
...how lazy game manufacturers are now a days and how little they care about game issues until something like this happens.
Dolemite
Save the World! Use a Quote!
the health/brain degeneration of the CS community could do them (and us) nothing but good.
Now.. BF1942 - there's a real game
Many moons ago I used to host a dedicated Unreal Tournament server named "Mr.Toad's Wild Ride". It was on a P3-550 running RedHat 6. The only Linux box in my cabinet, all the other servers were FreeBSD.
One day my network went to crap, and I found that the switch had been overloaded with bogus MAC addresses. Turns out someone had hacked the Unreal Tournament box and put a very nasty packet sniffer on it. (Thank the gods for ssh.)
I had always assumed it was just the default state of a RedHat 6 box that had been easily cracked.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
While I agree that MS may do some things to keep their market share up which could be considered monopolistic, they have MANY valid reasons to exclude Java from Windows. They shouldn't be forced to include ANY 3rd party app in Windows. They make it easy to install Sun's Java if a user wants. That's good enough. I personally hate Sun's Java. It's a hog or resources on your system and the applications written for it are slow too. Sun is more than welcome to include their "crap" in their Unix/Linux OSs. Do you think that if MS developed
By the way... I was a 5 year Java developer. I tried
So funny because it's true.
I guess most Unreal tournament players are sub-adults.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
You know the figures, 7x faster than J2EE with 1/4th the code. It's true, I've developed in both and will attest to it.
Open source is great, I'll switch as soon as ASP.Net is ported to Linux. Till then, gimme my
how about you login and let him rip you a new asshole. what the fuck does the apology have to do with the point he was making in his post?
Also, as Rein explained in his apology, his initial reaction was to the fact that PivX was implying that 4 games which were not even released yet were insecure; which is a conjecture on PivX's part, and which could potentially damage the sales of those games even if the holes were fixed. His initial reaction was that this was libel, and he was correct.
This conjecture was not properly disclosed as such in the original disclosure, which means if the developers for these games were to show that their code was in fact patched against these vulnerabilities, it is in fact libel.
Hope this helps.
Kazaa's next legal defense will be that their software is not a file-sharing service but really an instant messaging server with a security hole that can be exploited to give access to a user's hard drive.
Ergonomica Auctorita Illico!
Any company that chooses .net over other alternatives will get what they deserve. That will be a high cost in the future in the form of never ending payments to Microsoft.
.net without any knowledge of Microsoft's future pricing policies, commitment requirements and security policies.
Microsoft has demonstrated time and again that the customer comes second to Microsoft revenue.
A company IT manager should be fired for even recommending a commital to
These same companies will also be helping MS in their attempt to completly control internet standards. Control of standards by Microsoft will stifle competition and further ensure the company's future cost will be high.
http://saveie6.com/
what about the 'unlimited nukes' virus? Or the auto targeting lightning gun.
Do you need a website upgrade?
- Local and remote denial of service.
- Distributed denial of service (flooding remote computers with data packets to freeze it).
- Bounce attacks with spoofed UDP packets
This bit sounds an awful lot like the GameSpy reflection attack: you send them a forged UDP packet asking for some resource, they send out 400 times as much data to the poor bloke whose IP you put on it. Rinse, lather, repeat and you have yourself a pretty big DRDOS (not the guys MS killed, rather a Distributed Reflection Denial Of Service).
I hereby place the above post in the public domain.
It's funny, but in BF1942 you always know who primarily plays CS; they're the ones who start jumping when you shoot them.
Coutesy of Google Groups
If you really want to be paranoid, you can run a server inside a User Mode Linux VM which is only a little slower than a real box (only the system calls are emulated, not the instructions) and iptables on all IP connections into and out of the box.
It wouldn't solve every problem, but it would reduce the ill-effects of most worms.
Umm.. that was the point of the joke...
Jeeze, people here have less humor than stuff I've coughed up.
Actually, I'm Frank and I am sick and tired of people wanting to be me :)
Progress is man's ability to complicate simplicity!
Yeah, lets put some readability into these trolls!
Way back in the days of Quake 1, there was a problem with Quake 1 servers--if you sent a spoofed connect packet (20 bytes) to them, they would response with like 5000 bytes to the source address.. this is a case where it magnifies amount of traffic from the original source. There was a program called quakewar that exploited this. They fixed this for QuakeWorld, Quake2, 3, and all games based off these (Half-Life is based off QuakeWorld and Quake).. basically instead of responding with all the information necessary for the client to get in sync with the server, they send back a random number (a string actually about 8 bytes) that the connecting client must in turn send back. If the server never receives this, it won't proceed to send lots of data to the source address. I did a bit of stuff with a simple quakeworld proxy before so I'm sure about how this handshaking happens for Quake protocol games. Sure you can get all 10000 Half-Life servers to response to someone, but it won't be much more data than you could send out yourself. I assume the Unreal problem is that it doesn't do this little handshaking to make sure the source is real.
I'm very disappointed that many ISVs only get serious about security when someone rats to the press. As a member of the press, I'm all for it :) but it's still disappointing.
Rather like those investigative shows on TV which examine cases of customers getting raw deals, often for years, from vendors/shops/etc. But when the journos arrive, they're all smiles and terribly-sorry-we'll-make-it-all-better, paying off that one customer and still ignoring the many who are still being screwed the same way.
Why does it have to get to the stage of negative publicity before firms get a clue about customer service? Commercial reasons, obviously - customer care is overhead - but it's still sad.
...HOLY SHIT!
Which I suppose is what people would have been saying if a major exploit was ever created/and spread to their machine.
Are you local? There's nothing for you here!
A first security patch solving the main issues has been released to the liscensees about a week ago. The second one was released yesterday and solves most other issues.
It's been around for a long time but as far as I know this security issue hasn't been abused yet.
Of course the fact that Epic released patches doesn't mean that all the games using Unreal have been patched yet.
One of the exploits allows you to run your own code on the machine running an unreal engined game. It should be possible to exploit this bug on the xbox with Unreal Championship, too. That would a way to run unsigned code on a unmoddified xbox. Unreal Championship would be something like a boot cd for linux.
As far as I know Xbox games are running at Ring 0 for speed reasons, so it should be possible to get complete control over the xbox and run Linux or other code without a modchip. Other networked games could have similiar problems, so that scheme could work with other networked games too.
Jan
And why are you saying I am in shitty company? I'm not a website adminstrator you fucking moron.
I hate liberals. If you are a liberal, do not reply.
Saying there isn't going to be a lawsuit
Figure I'd toss in my 1/50 of a Euro at current exchange rates.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
The one reason I was hesitant to play Unreal Tournament on the web was because there seems to be no way to stop it from automatically downloading new maps.
I routinely scan all my downloads if I'm not familiar with the server.
A goal is a dream with a deadline
Ill know better next time.
I don't know anyone who plays CS without grass ;)
Date: November 26, 2002
r ibes 2
Released: January 16, 2002
Version: All up to current.
Bug: Server status port replies to spoofed UDP packets
with large amount of data.
Affected Games:
Quake
Quake 2
Q3: Arena
Half-Life
Counter-Strike
Sin
Soldier of Fortune
Daikatana
Unreal Tourn.
Quakeworld
Unreal
Rune
Gore
Tribes
T
Serious Sam
Serious Sam 2
CC: Renegade
Global Operations
Jedi Knight 2
Battlefield 1942
America's Army
Unreal Tournament 2003
Return to Castle Wolfenstein
Medal of Honour Allied Assault
SoF2 Double Helix
SoF2 Double Helix Demo
Alien vs Predator 2
NeverWinter Nights
V8 Supercar Challenge
UDP is a connectionless protocol of which the source ip and port can easily be spoofed. If you've read the introduction, you can probably
see where I'm going with this.
The BF1942 status port will reply an amazing amount of requests, and although I have only personally tested this to 50 kbytes/sec, I
dont see any reason why you couldn't go even higher.
When these requests are received, the reply is sent to the source host which, in this case, we have spoofed. This causes a huge packet flood
to your victim, therefore you now have your DoS.
When tested, a single upstream of 4 k/s to the BF1942 server yielded over 550 k/s being sent to the victim host. When the victim's host
receives these packets on a UDP port which is open (commonly found to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that connection will be flooded. If you sent to an unreachable port on the victim's host, the victim's stack will respond with "Unreachable"
responses which will also flood their upstream.
A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer. To stop this DoS from reaching the victim, the port you specify would have to be blocked before reaching their system. Ports you would find particularly useless would be ones that are commonly blocked by ISPs before reaching the customers: (139/NetBIOS, and so on). A firewall will only prevent the victim from responding with ICMP Unreachable packets.
* Packets can be sent steadily, no wait time needed for refresh.
This is an attack that can easily flood any system slower than the game server, and do it anonymously because the UDP packet source is spoofed to that of the victim. This is very similar to the "smurf" attack that was used in the late 20th century. =)
The attack does not only affect the bandwidth of the host and the victim, but it also tends to eat up a nice chunk of memory and CPU power on the server.
This low amount of required upstream would allow a simple modem user to send a hefty DoS to a T1 or higher.
Due to the fact that Battlefield 1942 servers tend to require a lot of bandwidth to operate, you are very likely to find that nearly any server will have more than enough bandwidth to handle the task. EA has many of their servers hosted on OC3 lines.
In many ways, this exceeds the severity of the smurf attack method.
Example theory of risk:
T1 (1.54 mbps) FULL DoS:
1 server needed @ ~220 k/s or more (a 20 player server will do).
1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)
A single user dialed up at 14,400 bps can topple a T1.
A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.
Worst of all Proof-of-concept code is at the wild =/
More information at Securityfocus. This is the remote exploit which seems to be a UDP amplifier.
If all ISPs actively put in anti-spoofing filters on all their routers then this type of denial of service attack could be greatly reduced as blackhats would only be able to spoof IPs & UDP services to their own segments.
But no, most ISPs probably take a router out of the box, type a few commands and take it into production.
and mod me down to redundant if you like, as this has been said before in a hundred other threads
you admit you are just repeating what you read elsewhere?
-1 Blatant
Didn't you know that's what it meant when people said, "I OWNERZ JOO!!"?
yeah, that helps. it helps to prove you're an asshole.
You may not have gotten first post, but you got BEST POST.