Unreal Security Hole

Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx, says that Marc Rein of Epic threatened PivX with "getting our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.

Links

[prothid]

More at bluesnews.

Re:Links

[prothid]

Here too.

Yadda

The flaw in a netshell is that if you have autodownload turned on, you don't know what you might get.

Well no shit.

So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?

It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.

Re:Yadda

[mrpuffypants]

I find that a lot of people usually turn that bugger of autodownload off.

The problem is that Unreal, Quake, etc. aren't that efficient at sending big files when you have to "autodownload" a level. Effectively this slows down the connection for the server and makes the client have to sit at their coomputer for a long time and wait for a new map to download. Usually by the time that map has downloaded you've missed that whole round and end up downloading a brand new map again.

It's a lot easier to download stuff from Fileplanet (ick...waiting in line for a file) or elsewhere: it's faster and easier in the long run

Re:Yadda

[Sycraft-fu]

Actually, UT has a nifty solution for that. A server can redirect someone to a webserver that conatins compressed files. Now since it's a webserver, it download at the max rate of your internet connection, much faster than the stream from the server. Also the compression is pretty much 50% or better on all files. So it really doesn't take long. UT tehn decompressess and gets them ready for you.

Re:Yadda

[Qrlx]

It may not have made any sense, but that's the truth.

I play a lot of Return to Castle Wolfenstein, and every time I try to download some new map from a server hosting that map, it CRAWLS at like 2k/sec. This is on a attbi.com cable modem where I just downloaded mozilla 1.21 at 120 KB/sec.

For some reason, the server just won't open a fat pipe to you so you can download one map that everybody else has. It's probably a feature more than a bug. And the thing in Unreal Tournament 2k3 is an even better feature. I was playing this game at a friend's house and I went to some server with a map he didn't have -- lo and behold it connected me to some ftp site and I had the thing in seconds. The same thing would have taken at least 5 minutes in RtCW.

I guess the downside is -- who know's whats REALLY on that FTP site (or server hosting the map in the first place)?? Well, use antivirus, don't be an idiot, back up important stuff on a floppy. If a bug in UT2k3 is what makes you do this stuff, then you are very very lucky that this is the worst brush with disaster you've had.

Oh, and you're probably a n00b, too!

Re:Yadda

[Cirvam]

Game's tend to use UDP, not the most efficent way of transfering files. Webservers tend (haven't seen a udp based one yet) to use TCP, which is a bit more efficent. So in sheer efficency downloading from a webserver its faster then the game server. Plus as others have mentioned you usually have limits on the bandwidth usage on both the client and server side.

Bugtrak Post

A.C.K.W PoStErS

On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.

The press release:
http://www.pivx.com/press_releases/ueng- adv_pr.htm l

The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.tx t

Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.

We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.

On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:

"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?a ction=v iewthread&threadid=39954

On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:

"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story/ 0,24195, 3417248,00.html

I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.

In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.

I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng- adv_pr.htm l

All the server's will be fixed in a jiffy.

[$$$$$exyGal]

These exploits won't be around for long. As opposed to website administrator's, Unreal administrator's care about their sites not going down. I'm serious.

--sex

Epic Rebuttal

A.C.K.W PoStErS

Thor,

I have sent your company an apology for those completely unfortunate
comments that I sincerely regret. We did provide an official statement
and I was not, at the time, aware that my verbal reaction, in a moment of
shock and surprise, was being captured for the article.

The comment was a complete over-reaction to seeing the list of games
including future games that have not yet been published. It had nothing
to do with the security issues themselves, the validity of the report, or
the way Pivx presented it to us. Pivx gave us more than fair enough
warning of the bugs and we simply failed to fix them in the allotted
time. We released a statement last week to the Unreal community
indicating that "we fucked up" in not addressing these concerns within
the given time and that we were already testing a patch with the security
issues corrected. In addition the official statement we gave pointed out
that we were fixing the holes and that the Pivx report was fair and
accurate. Licensees were already provided with the source code for the
security fixes.

Again this was a moment-of-stupidity reaction and I sincerely apologize
to Pivx and the entire security community. Epic has already stated that
we will take these matters far more seriously in the future.

Mark Rein,
Epic Games Inc.

Visit us at http://www.epicgames.com

Re:At least they're being frank...

[The+Bungi]

Didja RTFA? The guy is specifically citing how Epic behaved worse than Microsoft used to before they cleaned up their act.

And you get modded as insightful... oh well.

Re:Four words...

[yomegaman]

He apologized, big deal that costs nothing. He acted like a total jerk with the lawyers bit, ignored the bug for three months, and it's still not fixed after all this time. What's so praiseworthy about that?

TechTV re-wrote their story

[marnerd]

I read the old version, and it definitely did mention "slander" and "lawyers". Shame on TechTV for deleting the evidence and on Epic for the comment.

Kudos, however, to Epic for later retracting it.

Re:Let's not overreact here...

[Splab]

Uhm.. you guys are waaaaaaaay off here. You're all taking a look at it in a political / our medical db is important nuf to be nuked...
There are 2 kinds of people (doing that stuff)
1. The true hackers/phreakers/whatever they are called - They write programs to show off and put light on a big issue.
2. Script kiddies - They are the ones who just copies off what those from the 1. group did and are those who once in a while knocks big systems down.
The reason why game servers doesnt get knocked down so often (once in a while someone drops off a few) is its usually script kiddies doing havoc - And when they are bored doing drag n drooling in that shiney i-face those from the first group made they'll go back to gaming. At least they'd figured out that knocking over something they are going to use isn't all that smart...
By the way - Shouldnt people be looking into why the slammer was realeased in stead of just saying "Yeah Im an ultra cool sysadmin I figured out ALLL LLL by me self to close that port". It had no payload, no real use - and in fact 2 bugs afaik. How many of you out there has started an investigation to how the fuck that little sucker got on your network in the first place? Any of you actually went over your "trusted" sites and thought of fixing holes? I think the slammer was an experiment that accidentically got released before it was done.

Re:BFD. You can do the same thing to the 10k CS

[Osty]

The problem with security for games like CS is that it was passed off by two other companies (id to valve and then to the CS team), so you've got a pretty confusing situation to take grasp of with all that passing of the security buck. I don't think the makers of CS are at all in the same league as John Carmack, but it doesn't seem to matter in the wake of HL/CS sales, does it?

For being one of the first CS players, you sure have your timeline screwed up. Id never had anything to do with CS. I assume you mean that Id licensed the Quake 1 engine to Valve, who then modified the fuck out of it to create Half-Life, who then created and published the modification SDK, which was then used by the original volunteer team to create CS, which was eventually picked up by Valve. Similar to the progress of Team Fortress, which started as a Quake 1 modification, then the TF team was picked up by Valve to create Team Fortress 2 based on Half-Life, and who did the Half-Life based Team Fortress Classic, meant mostly as a proof-of-concept for the Half-Life mod SDK.

TheCarmack is a god, but he and the Counter-Strike team are in completely different arenas. TheCarmack and others at Id are generally more interested in doing the infrastructure for games (thus the proliferation of games based on the various Quake engines, while the Id-created games tend to be fairly straight-forward and more or less boring), while the Counter-Strike team is more along the lines of what Legend or Digital Etremes is to Epic, or Raven software is to Id -- they create content (Wheel of Time, Unreal 2, various Quake-based games, etc), while the engine developers (Id, Epic) create the infrastructure. It seems to be a very profitable relationship for both parties, and is highly indicative of the way the game industry is moving -- some companies compete to create infrastructure (a la Windows vs. Linux), while other companies use that infrastructure and compete by making games (a la Microsoft Office vs. OpenOffice).

Re:I really like Rein's comment

[Osty]

But seriously, it's nice to see a large company admitting it has "F***ed up".

Epic is not a large company by any means. Certainly not in comparison to the Microsofts, Suns, and IBMs of the world, and not even within their own gaming market -- they're positively dwarfed by the big guys like EA, Acclaim, Infogrames/GT Interactive/Atari/whatever they're calling themselves now, etc. No, Epic is what a game development company should be -- small, dedicated, and highly focused on one thing at a time, similar to Id (which is also an extremely tiny company, as these things are measured).

However, it's great to see these relatively small companies having so much influence in a market. Id and Epic literally own the FPS market, considering there are very few shooters that don't use technology from one or the other.

Re:BFD. You can do the same thing to the 10k CS

[Osty]

Half-Life was based on the Quake 2 engine. Which still has a surprising number of network security issues considering the constant attacks when it was released.

Nope. This is a popular misconception, based on the release dates of Half-Life and Quake 2. Half-Life was based on the Quake 1 codebase, and while they did add functionality that Quake 2 also had (hardware acceleration, though glquake did that too, colored lighting, one or two other things), they did a lot more as well, like skeletal animation. However, at its core, Half-Life was still based on Quake 1. Id Software has said as much (search that page for "Half-Life", you'll come up with "Remember this engine is the foundation for what Valve did with Half-Life, and the software and OpenGL rendering is still as fast as it ever was.").