Unreal Security Hole

Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx, says that Marc Rein of Epic threatened PivX with "getting our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.

Free Software 2.0

By Douglas Boling

My mother always told me never to disturb a hornet's nest. Those critters will come after you with all their fury. It seems that's what I did with my last column, " Free Software. Is it Worth the Cost? " (MIND, May 1999). I'm going to use this column to respond to the large amount of email received at the MIND offices in the last week.
First, I should say what these two columns are not. I'm not here to criticize Linux. I'm sure it's a fine operating system; its market share is substantial. Folks who use it seem satisfied. While I might have a few bones to pick with Linux as it stands today, I'm not interested in getting into a shouting match over Linux.

I'm also not interested in defending Microsoft. I don't wish to be drawn into an argument about the size, marketing practices, or quality of Microsoft code. That's not what this column is about. Frankly, a company as fast on its feet as Microsoft can change and thrive in almost any environment. I don't worry about its future.

This column is about the question: should intellectual propertyâ"more specifically, softwareâ"be "free"?

Many respondents thought I was confused on the concept of free as it applied to software. They quoted the "think free speech, not free beer" statement from the Free Software Foundation Web site, http://www.fsf.org/philosophy/free-sw.html. I think I was on the money. For the definition of free, let's use the four freedoms listed on the FSF site, specifically on the URL listed above. The third of these freedoms is "The freedom to redistribute copies so you can help your neighbor." Well folks, if you can freely distribute copies of a program you didn't produce, it's pretty much free in the beer sense as well as the speech sense. It's the freedom to distribute that brings this back to a discussion about economics as well as freedom.

Reading the GNU manifesto (http://www.fsf.org/gnu/manifesto.html) is enlightening and I recommend anyone discussing this topic to do so. However, in its pure form, the GNU concept does envision a world where general-purpose software is freely availableâ"a world where the programmers are hired for support of this public software. Boy, that's what I live for, maintaining someone else's code.

I like a world where a programmer can sit in a spare bedroom hacking away late at night. When the product is ready, the budding young entrepreneur can sell the product. All the toils of late-night development may then be rewarded with, among other things, a nice pile of cash. This flies in the face of the GNU concept where the product can be distributed by anyone to anyone. Per copy licenses allow a one-to-many multiplier when it comes to the value a programmer generates. Without it, a programmer is left selling his or her skills as a journeyman hacker to the large companies that use the freely distributed software.

If GNU software becomes the norm, of course programmers won't starve. To quote the manifesto, "The real reason programmers will not starve is that it will still be possible for them to get paid for programming; just not paid as much as now." That's a bright future for a high school counselor to put in front of a kid. Sure, some folks will program for the love of it, myself included. It's not a bad thing, though, to be paid and paid well for a program well written. A few companies are paying programmers to write either "free" software or open source software, but large companies like Apple and Netscape have license agreements that violate the spirit and even the word of the GNU General Public License.

This leads me to my last point. Many of the respondents jumped all over the fact that I stated "It's hard to compete if your competition is free" without mentioning Microsoft Internet Explorer. I have less than a thousand words to make a point in this column, so some things have to be understood, not stated explicitly. Of course Internet Explorer is free. However, the developers who wrote Internet Explorer were paid for their efforts.

Finally, last month's column has been used by many as an example of FUD by a Microsoft employee. I'm not, nor have I ever been, an employee of Microsoft. My column is written on my own, thousands of miles from the MIND offices. Now, clearly this column is published in a magazine produced by Microsoft employees, so I am not going to maintain that I am free to say just anything, but any censorship is self-imposed, not the result of pressure from Microsoft. The recently appended disclaimer at the foot of the column is the direct result of my editors wanting to disassociate themselves from my opinions while at the same time allowing me the space to state them.

These two columns have been about discussing the concept of intellectual property and whether it should be "free" or owned. Intelligent people can take either side of the argument. I'm not bashing the other side, I'm disagreeing with it. Folks on the "free" side ought to consider that there is another side to the issue and debate it intellectually, not emotionally. In any case, it's time to move on. I welcome opportunities to debate the topic in other arenas.

The opinions expressed herein are those of Douglas Boling and should not be construed as the opinions of Microsoft Corporation.

Troll 66 of 208 from the annals of the Troll Library .

Let's not overreact here...

[I'm+a+racist.]

Lots of software has security holes. Games are no different... the difference with games is that they are not targets. It's interesting that this one was spotted, but it's no real surprise.

The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.

In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...

Of course, it'd still suck to get fucked over by this security flaw (just like all the others).

Re:Let's not overreact here...

[Screaming+Lunatic]

I agree, UT2K3 is not mission critical. I was trying to draw similarities.

The hole can be used to launch a DDOS attack. Over the last 5 years, there have been tons of games built on the Unreal engine. I haven't seen specific numbers, but the number of Unreal servers and the number of SQLServers out there in the wild is probably comparable. University students running Unreal servers have big pipes.

Games use UDP extensively. Slammer used UDP.

There are about 15 different games that need patching. How many of those servers will get patched after it is released? There was a patch for Slammer before it hit.

Re:Let's not overreact here...

[Lord+Ender]

"There are about 15 different games that need patching. How many of those servers will get patched after it is released? There was a patch for Slammer before it hit."

I would guess that all of the games get patched. Unlike databases, games are not compatible between versions. When game patches come out, nobody can play unless they have the same patch level. This forces everyone to upgrade or not play.

Re:Let's not overreact here...

[Clovert+Agent]

That's a rather naive line of thinking. Slammer did _collateral_ damage - ATMs knocked offline, 911 call centers affected, MS authentication servers downed - not because they were infected SQL servers, but becaused their networks were DDOSed by the packet flood of other infected hosts.

The same packet flood coming from ANYWHERE would have the same effect. The issue is the number of vulnerable hosts out there. If the number is high enough, the danger is real.

Not just unreal...

Think about it. There are literally thousands of internet based applications in use every day, and they range from the obscure to the common on a wide variety of operating systems.

Just because your favorite (or even least favorite) app hasn't had a major hole found in it that doesn't mean it isn't there. You might be running a time-bomb on even the most secure of your systems and not even be aware.

Of course this is all obvious to anybody who has been online for a while.

BFD. You can do the same thing to the 10k CS

[BoomerSooner]

Servers out there. Simply create UDP packets and sent them to 10000 servers and they will all respond to the place you want to DoS. Games are no safer than any other piece of Internet connected piece of software.

This should definately get more attention now and in the future. The innocence of the internet is long dead (long live the king [of porn]).

Re:BFD. You can do the same thing to the 10k CS

[dolo666]

"Games are no safer than any other piece of Internet connected piece of software."

I'd go one step further and suggest games are *less* secure than regular software since the dev team has many more issues to deal with other than regular software, with less time and less operating money, especially for PC games. Console game seem to have a lot more operations cash lying around, but I can't understand why. Likely it's because PC games attract more resourceful people who sell themselves short? Hard to say.

The half-life (pardon the pun) of games is also much less than regular software. The rush to buy a game might last a few months, while in contrast software like Photoshop has a continual demand that is unbending. And Microsoft could release a program with a little flashing textbox and sell a billion copies at $400 a pop. It's sick.

Games are also flukes at times, too. Who would have ever thunk CS would be so damn popular? I remember being on the first servers and we all thought it was cool but we never had a notion it would blow everything else away.

The problem with security for games like CS is that it was passed off by two other companies (id to valve and then to the CS team), so you've got a pretty confusing situation to take grasp of with all that passing of the security buck. I don't think the makers of CS are at all in the same league as John Carmack, but it doesn't seem to matter in the wake of HL/CS sales, does it?

Re:I really like Rein's comment

[sean23007]

Can you imagine how much more vehemently people would jump on Microsoft if they said something like that?

40% of UT2003 servers run on Linux. Basically, on a site like Slashdot, that makes them immune to criticism. No offense, but this is all pretty hypocritical (and mod me down to redundant if you like, as this has been said before in a hundred other threads).

Hehe

IT'S A TRAP!

[/Admiral Akbar]

Damn, and I just thought it was RedHat...

[ChrisKnight]

Many moons ago I used to host a dedicated Unreal Tournament server named "Mr.Toad's Wild Ride". It was on a P3-550 running RedHat 6. The only Linux box in my cabinet, all the other servers were FreeBSD.

One day my network went to crap, and I found that the switch had been overloaded with bogus MAC addresses. Turns out someone had hacked the Unreal Tournament box and put a very nasty packet sniffer on it. (Thank the gods for ssh.)

I had always assumed it was just the default state of a RedHat 6 box that had been easily cracked.

-Chris

Sounds like a reflection attack...

[wirelessbuzzers]

- Local and remote denial of service.
- Distributed denial of service (flooding remote computers with data packets to freeze it).
- Bounce attacks with spoofed UDP packets

This bit sounds an awful lot like the GameSpy reflection attack: you send them a forged UDP packet asking for some resource, they send out 400 times as much data to the poor bloke whose IP you put on it. Rinse, lather, repeat and you have yourself a pretty big DRDOS (not the guys MS killed, rather a Distributed Reflection Denial Of Service).

chroot + firewall?

[anonymous+cupboard]

It is impossible to know if any application may be vulnerable on any kind of box, but on Linux, we have a chroot 'jail' to run apps in (very good for servers they may serve too much) and iptables which can strictly limit the allowable ports.

If you really want to be paranoid, you can run a server inside a User Mode Linux VM which is only a little slower than a real box (only the system calls are emulated, not the instructions) and iptables on all IP connections into and out of the box.

It wouldn't solve every problem, but it would reduce the ill-effects of most worms.

Re:Unreal players discussing the security hole

[Pike65]

You know the really annoying thing? UT2003 has the bots talking like this (at least they do in the demo - I may be talking shit for the full version).

Who in the hell thought that it would be good idea to take the most annoying facet of the playing online and then turn it into a game feature?

I nearly cried when the bots started shouting "Ownage!" at each other. You can almost here the numerics in every word.

/me shudders

Re:Fix already released

[phreakmonkey]

It's been around for a long time but as far as I know this security issue hasn't been abused yet.

You, clearly, do not run a dedicated Unreal Tournament server. Or maybe you thought the occasional "runaway-process" that eats all your memory and disk-space before crashing was just a random benign bug?

I had to run ucc-bin in an unprivledged environment and put "ulimit" guard rails around it on my linux server to keep it from taking the OS with it when it was attacked. Now it's just the game that crashes.

And then, when I had a cron job to detect and bring the server back up- some very unscrupulous players would use the crash-and-restart "feature" to kick other players off the server and have their friends rejoin.

So- now when some id10t crashes the server, it stays down for up to 4 hours. That way the skr1pt k1dd13s get bored and go f--- up someone elses server.

No, I'd say it's been abused. Any dedicated server operator has known about these holes for years. It's nice to see it get acknowledged. There isn't an original UT patch yet. Now let's just hope there's a patch BEFORE there's a whole new slew of exploits.

- PM