Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
More at bluesnews.
The flaw in a netshell is that if you have autodownload turned on, you don't know what you might get.
Well no shit.
So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?
It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.
A.C.K.W PoStErS
- adv_pr.htm l
x t
a ction=v iewthread&threadid=39954
/ 0,24195, 3417248,00.html
- adv_pr.htm l
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.
The press release:
http://www.pivx.com/press_releases/ueng
The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.t
Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.
We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.
On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?
On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:
"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story
I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.
In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.
I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng
A.C.K.W PoStErS
Thor,
I have sent your company an apology for those completely unfortunate
comments that I sincerely regret. We did provide an official statement
and I was not, at the time, aware that my verbal reaction, in a moment of
shock and surprise, was being captured for the article.
The comment was a complete over-reaction to seeing the list of games
including future games that have not yet been published. It had nothing
to do with the security issues themselves, the validity of the report, or
the way Pivx presented it to us. Pivx gave us more than fair enough
warning of the bugs and we simply failed to fix them in the allotted
time. We released a statement last week to the Unreal community
indicating that "we fucked up" in not addressing these concerns within
the given time and that we were already testing a patch with the security
issues corrected. In addition the official statement we gave pointed out
that we were fixing the holes and that the Pivx report was fair and
accurate. Licensees were already provided with the source code for the
security fixes.
Again this was a moment-of-stupidity reaction and I sincerely apologize
to Pivx and the entire security community. Epic has already stated that
we will take these matters far more seriously in the future.
Mark Rein,
Epic Games Inc.
Visit us at http://www.epicgames.com
And you get modded as insightful... oh well.
Kudos, however, to Epic for later retracting it.
Not so much a sig as a lack of one.
For being one of the first CS players, you sure have your timeline screwed up. Id never had anything to do with CS. I assume you mean that Id licensed the Quake 1 engine to Valve, who then modified the fuck out of it to create Half-Life, who then created and published the modification SDK, which was then used by the original volunteer team to create CS, which was eventually picked up by Valve. Similar to the progress of Team Fortress, which started as a Quake 1 modification, then the TF team was picked up by Valve to create Team Fortress 2 based on Half-Life, and who did the Half-Life based Team Fortress Classic, meant mostly as a proof-of-concept for the Half-Life mod SDK.
TheCarmack is a god, but he and the Counter-Strike team are in completely different arenas. TheCarmack and others at Id are generally more interested in doing the infrastructure for games (thus the proliferation of games based on the various Quake engines, while the Id-created games tend to be fairly straight-forward and more or less boring), while the Counter-Strike team is more along the lines of what Legend or Digital Etremes is to Epic, or Raven software is to Id -- they create content (Wheel of Time, Unreal 2, various Quake-based games, etc), while the engine developers (Id, Epic) create the infrastructure. It seems to be a very profitable relationship for both parties, and is highly indicative of the way the game industry is moving -- some companies compete to create infrastructure (a la Windows vs. Linux), while other companies use that infrastructure and compete by making games (a la Microsoft Office vs. OpenOffice).
Nope. This is a popular misconception, based on the release dates of Half-Life and Quake 2. Half-Life was based on the Quake 1 codebase, and while they did add functionality that Quake 2 also had (hardware acceleration, though glquake did that too, colored lighting, one or two other things), they did a lot more as well, like skeletal animation. However, at its core, Half-Life was still based on Quake 1. Id Software has said as much (search that page for "Half-Life", you'll come up with "Remember this engine is the foundation for what Valve did with Half-Life, and the software and OpenGL rendering is still as fast as it ever was.").