Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
It's been a question for years whether bug finders should go public with bug finds or contact the company directly as to the flaws and the extent of their risk. I think the Open Source community agrees that places like bugtraq and open forums are the best way to discuss holes and security risks. Although Mark Rein was a little over-reactive and zealous M$ and other companies should make more effort to help their users find bug reporting easy -- in an open environment. This would really speed up the patching process (the priority at least) as well as the overall quality of knowledge available to the users affected and the company whose product is at fault.
Good. On. Mark. Rein.
He admitted that they screwed up. (or fucked up, as the case may be.) He lost it when pivx when public. Then he apologised for losing it, and admitted that pivx was entirely in the right.
This is about as much news as the bug itself. Not much.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Being a fairly regular UT2003 player I can honestly say there are not nearly as many servers out there as open MS SQL boxes. There are maybe a 1000 or so boxes at any one time running servers and the traffic is generally low.
You've got a good point here. The problem with worms like Code Red and Nimda is, the patches have been available for months, but the server admins are simply incompetent, and haven't installed them (still!). In many cases, there is no "admin"; the owner of the business paid some paper-MCSE to set it up a long time ago, and they'd have to pay somebody to come back and do maintenance.
This won't be a major issue with an Unreal exploit. Since there is no ppatch yet, it may take awhile for all the servers to get patched, but they will get patched.
I got another Code Red hit today:
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
What's really amazing about this flaw is that GameSpy and it's ilk unwittingly offer thousands of IP addresses from which possible DOS attacks may originate. Part of running an Unreal server involves sending "heartbeats" to the master servers of your choice advertising your IP so that other players may easily connect.
No port scanning any IP ranges to determine what services available is needed.
That's like Microsoft providing a web page showing which IIS servers are still affected by code red and showing their IP's.
Praying for the end of your wide-awake nightmare.
Well after 2 years of unemployment, toqer is getting into the game house business. That's right, 40 computers T1, the works. I know that my users will be 10 times smarter than the average corporate user and 1/2 the age!
(dum bum bum)
Joking aside, from personal experience I say we're all doomed to open mouth insert foot once in a while, and Marc Rein is no exception. Before you disagree with me or mod me down, let me remind you all of what a *ASSET* epic has been to the gaming community.
Unreal is cross platform, no waiting, it was there pretty much day 1. You can play UT2003 on win or lin.
In regards to my future business, epic has THE BEST licensing compared to EA, Valve, Activision and blizzard, their license is basically "You buy it retail, go ahead and load it on your rental computer" The afformentioned companies want indefinite license fee's and Epic doesn't.
Despite home PC gaming being the best, I know the gamehouse community will grow because not everyone can afford 50 P4 3ghz with hyperthreading. As long as the gamehouses keep their technology ahead the the "home curve" they will become a dominating force for showcasing games, a marketing tool if you will. Epic understands this and wants to see this happen.
Epic has been good to the gaming community, and since Marc was grown up enough to apoligize, we should be grown up enough to forgive him.
Sorry I can't stop talking about the gamehouse thing....Since I know some dev's (Even Carmack at ID) read slash, hopefully if I get modded up enough they'll read this.
To: EA, Valve, Activision and blizzard
Your indefinite contracts suck. Gamehouses are Synonymous with arcades with one vital difference... You do not provide the actual hardware. The owner of the facility provides hardware at a HUGE cost. Try pricing a gamehouse built on Dells sometime and see, the monthly cost of lease / and or buy is crazy. Don't be cheap about it either, price all top of the line and see what you come up with.
The thing you guys don't see is that gamehouse could be the new retail outlet for your games. Licensing shmicening, send me a box of your product to sell on consignment, and I GUARANTEE I would sell out those boxes faster than any single fry's or compusa store. Just find 1 gamehouse to TRY it with as an experiment, see if you sell more.
Did you RTFA (READ THE FUCKEN APOLOGY)?
I came across it when it came in my inbox from Bugtraq. Just try to imagine Steve Ballmer, in a very public forum literally saying "we fucked up". I thought it was one of the most amazing acts of humility I've ever seen from someone who is probably worth millions. Also, the TechTV article linked from the PivX letter citing "public legal threats"... ummm... doesn't contain any legal threats. I'm assuming that he made them on the air on TechTV.
Also, as Rein explained in his apology, his initial reaction was to the fact that PivX was implying that 4 games which were not even released yet were insecure; which is a conjecture on PivX's part, and which could potentially damage the sales of those games even if the holes were fixed. His initial reaction was that this was libel, and he was correct.
This conjecture was not properly disclosed in the original disclosure, which means if the developers for these games were to show that their code was in fact patched against these vulnerabilities, it is in fact libel.
And you get modded up to +5.... oh well.
Coutesy of Google Groups
I would think that that would not be much of a problem. I believe all of the netcode is Half-Life code, and hasn't been modified by the CS team.
One of the exploits allows you to run your own code on the machine running an unreal engined game. It should be possible to exploit this bug on the xbox with Unreal Championship, too. That would a way to run unsigned code on a unmoddified xbox. Unreal Championship would be something like a boot cd for linux.
As far as I know Xbox games are running at Ring 0 for speed reasons, so it should be possible to get complete control over the xbox and run Linux or other code without a modchip. Other networked games could have similiar problems, so that scheme could work with other networked games too.
Jan