Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
So, how long until we see the "Monster Kill" virus begin to make the rounds?
More at bluesnews.
The flaw in a netshell is that if you have autodownload turned on, you don't know what you might get.
Well no shit.
So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?
It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.
Slammer_Worm is on a killing spree!
Slammer_Worm is on rampage!
Slammer_Worm is dominating!
Slammer_Worm is unstoppable!
Slammer_Worm is Godlike!!!
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Lots of software has security holes. Games are no different... the difference with games is that they are not targets. It's interesting that this one was spotted, but it's no real surprise.
The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...
Of course, it'd still suck to get fucked over by this security flaw (just like all the others).
Down with Saudi Arabia!!!
A.C.K.W PoStErS
- adv_pr.htm l
x t
a ction=v iewthread&threadid=39954
/ 0,24195, 3417248,00.html
- adv_pr.htm l
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.
The press release:
http://www.pivx.com/press_releases/ueng
The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.t
Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.
We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.
On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?
On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:
"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story
I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.
In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.
I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng
When you play CS, you're supporting terrorists!
"threatened PivX with "getting our lawyers involved with this""
No, let's not let the lawyers get involved. THey make enough per hour as it is - we don't need to pay anyone $250/hr to play Unreal Tournament for "case notes."
Wait.. then again, lawyers in Unreal Tournament games. Hrm. It could be an all-out fragfest on a level that nobody could have ever imagined before. I like that idea!
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now."
:)
I get the feeling that I'll be in my cold, cold grave before Microsoft starts releasing statements like this
But seriously, it's nice to see a large company admitting it has "F***ed up".
It's been a question for years whether bug finders should go public with bug finds or contact the company directly as to the flaws and the extent of their risk. I think the Open Source community agrees that places like bugtraq and open forums are the best way to discuss holes and security risks. Although Mark Rein was a little over-reactive and zealous M$ and other companies should make more effort to help their users find bug reporting easy -- in an open environment. This would really speed up the patching process (the priority at least) as well as the overall quality of knowledge available to the users affected and the company whose product is at fault.
A.C.K.W PoStErS
Thor,
I have sent your company an apology for those completely unfortunate
comments that I sincerely regret. We did provide an official statement
and I was not, at the time, aware that my verbal reaction, in a moment of
shock and surprise, was being captured for the article.
The comment was a complete over-reaction to seeing the list of games
including future games that have not yet been published. It had nothing
to do with the security issues themselves, the validity of the report, or
the way Pivx presented it to us. Pivx gave us more than fair enough
warning of the bugs and we simply failed to fix them in the allotted
time. We released a statement last week to the Unreal community
indicating that "we fucked up" in not addressing these concerns within
the given time and that we were already testing a patch with the security
issues corrected. In addition the official statement we gave pointed out
that we were fixing the holes and that the Pivx report was fair and
accurate. Licensees were already provided with the source code for the
security fixes.
Again this was a moment-of-stupidity reaction and I sincerely apologize
to Pivx and the entire security community. Epic has already stated that
we will take these matters far more seriously in the future.
Mark Rein,
Epic Games Inc.
Visit us at http://www.epicgames.com
Good. On. Mark. Rein.
He admitted that they screwed up. (or fucked up, as the case may be.) He lost it when pivx when public. Then he apologised for losing it, and admitted that pivx was entirely in the right.
This is about as much news as the bug itself. Not much.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
And you get modded as insightful... oh well.
that's why I've lost so many matches! Somebody is executing malicious code that screws up my aim and makes me play like crap.
Now they should make a movie, where some kid installs this on his dad's computer at work, and his dad just HAPPENS to be the scientist involved in working the computers that controls nuclear weapons, and they have to play unreal, and if they loose: the world will be destroyed, so they put the kid in some virtual reality suit so he can get inside the game and play for real and save the day. oh come on! its as good a plot as any other videogame based movie, think of that and really tell me honestly that wouldn't be the plot of any unreal movie that came out....
-You're wasting your time. Alfador only likes me.
GG
NEW MAP!!!!!!!!!!!!!!!!!!1111
GG EVARYBODY
ZEROSTUD IS A CHEATER
YEAH, I
OMFG UR TEH LAMER
SHUTUP, U CAMPING FAG
[FGP]-Killaz-X -0- LAG!
NO LAG U SUX
NO FUCK YOU
I GET 20 PING
U GUYS HERE ABOUT TEH SECURITY THING??!
GG
NEW MAP
LATZ, IM GONNA PLAY CS
FUCK YOU
KILLING SPREE
UR CHEATING
KICK HIM
STFU U LAMR, YUO SUK
VOTE ON NEW MAP
What's really amazing about this flaw is that GameSpy and it's ilk unwittingly offer thousands of IP addresses from which possible DOS attacks may originate. Part of running an Unreal server involves sending "heartbeats" to the master servers of your choice advertising your IP so that other players may easily connect.
No port scanning any IP ranges to determine what services available is needed.
That's like Microsoft providing a web page showing which IIS servers are still affected by code red and showing their IP's.
Praying for the end of your wide-awake nightmare.
Well after 2 years of unemployment, toqer is getting into the game house business. That's right, 40 computers T1, the works. I know that my users will be 10 times smarter than the average corporate user and 1/2 the age!
(dum bum bum)
Joking aside, from personal experience I say we're all doomed to open mouth insert foot once in a while, and Marc Rein is no exception. Before you disagree with me or mod me down, let me remind you all of what a *ASSET* epic has been to the gaming community.
Unreal is cross platform, no waiting, it was there pretty much day 1. You can play UT2003 on win or lin.
In regards to my future business, epic has THE BEST licensing compared to EA, Valve, Activision and blizzard, their license is basically "You buy it retail, go ahead and load it on your rental computer" The afformentioned companies want indefinite license fee's and Epic doesn't.
Despite home PC gaming being the best, I know the gamehouse community will grow because not everyone can afford 50 P4 3ghz with hyperthreading. As long as the gamehouses keep their technology ahead the the "home curve" they will become a dominating force for showcasing games, a marketing tool if you will. Epic understands this and wants to see this happen.
Epic has been good to the gaming community, and since Marc was grown up enough to apoligize, we should be grown up enough to forgive him.
Sorry I can't stop talking about the gamehouse thing....Since I know some dev's (Even Carmack at ID) read slash, hopefully if I get modded up enough they'll read this.
To: EA, Valve, Activision and blizzard
Your indefinite contracts suck. Gamehouses are Synonymous with arcades with one vital difference... You do not provide the actual hardware. The owner of the facility provides hardware at a HUGE cost. Try pricing a gamehouse built on Dells sometime and see, the monthly cost of lease / and or buy is crazy. Don't be cheap about it either, price all top of the line and see what you come up with.
The thing you guys don't see is that gamehouse could be the new retail outlet for your games. Licensing shmicening, send me a box of your product to sell on consignment, and I GUARANTEE I would sell out those boxes faster than any single fry's or compusa store. Just find 1 gamehouse to TRY it with as an experiment, see if you sell more.
Kudos, however, to Epic for later retracting it.
Not so much a sig as a lack of one.
Frankly, if you're someone who routinely writes "ppl" in place of "people" you're already demonstrating such severe degeneration of health/brain that you may already be a lost cause.
Sooo...what I wanted to say is that I hope that someone f**k the game-servers up so badly that these trapped gamerz can see what life has to offer!
Might I suggest you take some of the same advice you give to these "gamerz" and check out what life has to offer. It appears to be passing you by.
"They do not preach that their god will rouse them, a little before the Nuts work loose." Kipling, 'The Sons of Martha'
"Games are no safer than any other piece of Internet connected piece of software."
I'd go one step further and suggest games are *less* secure than regular software since the dev team has many more issues to deal with other than regular software, with less time and less operating money, especially for PC games. Console game seem to have a lot more operations cash lying around, but I can't understand why. Likely it's because PC games attract more resourceful people who sell themselves short? Hard to say.
The half-life (pardon the pun) of games is also much less than regular software. The rush to buy a game might last a few months, while in contrast software like Photoshop has a continual demand that is unbending. And Microsoft could release a program with a little flashing textbox and sell a billion copies at $400 a pop. It's sick.
Games are also flukes at times, too. Who would have ever thunk CS would be so damn popular? I remember being on the first servers and we all thought it was cool but we never had a notion it would blow everything else away.
The problem with security for games like CS is that it was passed off by two other companies (id to valve and then to the CS team), so you've got a pretty confusing situation to take grasp of with all that passing of the security buck. I don't think the makers of CS are at all in the same league as John Carmack, but it doesn't seem to matter in the wake of HL/CS sales, does it?
Kazaa's next legal defense will be that their software is not a file-sharing service but really an instant messaging server with a security hole that can be exploited to give access to a user's hard drive.
Ergonomica Auctorita Illico!
For being one of the first CS players, you sure have your timeline screwed up. Id never had anything to do with CS. I assume you mean that Id licensed the Quake 1 engine to Valve, who then modified the fuck out of it to create Half-Life, who then created and published the modification SDK, which was then used by the original volunteer team to create CS, which was eventually picked up by Valve. Similar to the progress of Team Fortress, which started as a Quake 1 modification, then the TF team was picked up by Valve to create Team Fortress 2 based on Half-Life, and who did the Half-Life based Team Fortress Classic, meant mostly as a proof-of-concept for the Half-Life mod SDK.
TheCarmack is a god, but he and the Counter-Strike team are in completely different arenas. TheCarmack and others at Id are generally more interested in doing the infrastructure for games (thus the proliferation of games based on the various Quake engines, while the Id-created games tend to be fairly straight-forward and more or less boring), while the Counter-Strike team is more along the lines of what Legend or Digital Etremes is to Epic, or Raven software is to Id -- they create content (Wheel of Time, Unreal 2, various Quake-based games, etc), while the engine developers (Id, Epic) create the infrastructure. It seems to be a very profitable relationship for both parties, and is highly indicative of the way the game industry is moving -- some companies compete to create infrastructure (a la Windows vs. Linux), while other companies use that infrastructure and compete by making games (a la Microsoft Office vs. OpenOffice).
Nope. This is a popular misconception, based on the release dates of Half-Life and Quake 2. Half-Life was based on the Quake 1 codebase, and while they did add functionality that Quake 2 also had (hardware acceleration, though glquake did that too, colored lighting, one or two other things), they did a lot more as well, like skeletal animation. However, at its core, Half-Life was still based on Quake 1. Id Software has said as much (search that page for "Half-Life", you'll come up with "Remember this engine is the foundation for what Valve did with Half-Life, and the software and OpenGL rendering is still as fast as it ever was.").
You, clearly, do not run a dedicated Unreal Tournament server. Or maybe you thought the occasional "runaway-process" that eats all your memory and disk-space before crashing was just a random benign bug?
I had to run ucc-bin in an unprivledged environment and put "ulimit" guard rails around it on my linux server to keep it from taking the OS with it when it was attacked. Now it's just the game that crashes.
And then, when I had a cron job to detect and bring the server back up- some very unscrupulous players would use the crash-and-restart "feature" to kick other players off the server and have their friends rejoin.
So- now when some id10t crashes the server, it stays down for up to 4 hours. That way the skr1pt k1dd13s get bored and go f--- up someone elses server.
No, I'd say it's been abused. Any dedicated server operator has known about these holes for years. It's nice to see it get acknowledged. There isn't an original UT patch yet. Now let's just hope there's a patch BEFORE there's a whole new slew of exploits.
- PM