Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
So, how long until we see the "Monster Kill" virus begin to make the rounds?
More at bluesnews.
The flaw in a netshell is that if you have autodownload turned on, you don't know what you might get.
Well no shit.
So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?
It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.
Slammer_Worm is on a killing spree!
Slammer_Worm is on rampage!
Slammer_Worm is dominating!
Slammer_Worm is unstoppable!
Slammer_Worm is Godlike!!!
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Lots of software has security holes. Games are no different... the difference with games is that they are not targets. It's interesting that this one was spotted, but it's no real surprise.
The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...
Of course, it'd still suck to get fucked over by this security flaw (just like all the others).
Down with Saudi Arabia!!!
A.C.K.W PoStErS
- adv_pr.htm l
x t
a ction=v iewthread&threadid=39954
/ 0,24195, 3417248,00.html
- adv_pr.htm l
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.
The press release:
http://www.pivx.com/press_releases/ueng
The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.t
Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.
We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.
On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?
On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:
"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story
I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.
In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.
I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng
When you play CS, you're supporting terrorists!
"threatened PivX with "getting our lawyers involved with this""
No, let's not let the lawyers get involved. THey make enough per hour as it is - we don't need to pay anyone $250/hr to play Unreal Tournament for "case notes."
Wait.. then again, lawyers in Unreal Tournament games. Hrm. It could be an all-out fragfest on a level that nobody could have ever imagined before. I like that idea!
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now."
:)
I get the feeling that I'll be in my cold, cold grave before Microsoft starts releasing statements like this
But seriously, it's nice to see a large company admitting it has "F***ed up".
It's been a question for years whether bug finders should go public with bug finds or contact the company directly as to the flaws and the extent of their risk. I think the Open Source community agrees that places like bugtraq and open forums are the best way to discuss holes and security risks. Although Mark Rein was a little over-reactive and zealous M$ and other companies should make more effort to help their users find bug reporting easy -- in an open environment. This would really speed up the patching process (the priority at least) as well as the overall quality of knowledge available to the users affected and the company whose product is at fault.
that's why I've lost so many matches! Somebody is executing malicious code that screws up my aim and makes me play like crap.
GG
NEW MAP!!!!!!!!!!!!!!!!!!1111
GG EVARYBODY
ZEROSTUD IS A CHEATER
YEAH, I
OMFG UR TEH LAMER
SHUTUP, U CAMPING FAG
[FGP]-Killaz-X -0- LAG!
NO LAG U SUX
NO FUCK YOU
I GET 20 PING
U GUYS HERE ABOUT TEH SECURITY THING??!
GG
NEW MAP
LATZ, IM GONNA PLAY CS
FUCK YOU
KILLING SPREE
UR CHEATING
KICK HIM
STFU U LAMR, YUO SUK
VOTE ON NEW MAP
What's really amazing about this flaw is that GameSpy and it's ilk unwittingly offer thousands of IP addresses from which possible DOS attacks may originate. Part of running an Unreal server involves sending "heartbeats" to the master servers of your choice advertising your IP so that other players may easily connect.
No port scanning any IP ranges to determine what services available is needed.
That's like Microsoft providing a web page showing which IIS servers are still affected by code red and showing their IP's.
Praying for the end of your wide-awake nightmare.
Well after 2 years of unemployment, toqer is getting into the game house business. That's right, 40 computers T1, the works. I know that my users will be 10 times smarter than the average corporate user and 1/2 the age!
(dum bum bum)
Joking aside, from personal experience I say we're all doomed to open mouth insert foot once in a while, and Marc Rein is no exception. Before you disagree with me or mod me down, let me remind you all of what a *ASSET* epic has been to the gaming community.
Unreal is cross platform, no waiting, it was there pretty much day 1. You can play UT2003 on win or lin.
In regards to my future business, epic has THE BEST licensing compared to EA, Valve, Activision and blizzard, their license is basically "You buy it retail, go ahead and load it on your rental computer" The afformentioned companies want indefinite license fee's and Epic doesn't.
Despite home PC gaming being the best, I know the gamehouse community will grow because not everyone can afford 50 P4 3ghz with hyperthreading. As long as the gamehouses keep their technology ahead the the "home curve" they will become a dominating force for showcasing games, a marketing tool if you will. Epic understands this and wants to see this happen.
Epic has been good to the gaming community, and since Marc was grown up enough to apoligize, we should be grown up enough to forgive him.
Sorry I can't stop talking about the gamehouse thing....Since I know some dev's (Even Carmack at ID) read slash, hopefully if I get modded up enough they'll read this.
To: EA, Valve, Activision and blizzard
Your indefinite contracts suck. Gamehouses are Synonymous with arcades with one vital difference... You do not provide the actual hardware. The owner of the facility provides hardware at a HUGE cost. Try pricing a gamehouse built on Dells sometime and see, the monthly cost of lease / and or buy is crazy. Don't be cheap about it either, price all top of the line and see what you come up with.
The thing you guys don't see is that gamehouse could be the new retail outlet for your games. Licensing shmicening, send me a box of your product to sell on consignment, and I GUARANTEE I would sell out those boxes faster than any single fry's or compusa store. Just find 1 gamehouse to TRY it with as an experiment, see if you sell more.
For being one of the first CS players, you sure have your timeline screwed up. Id never had anything to do with CS. I assume you mean that Id licensed the Quake 1 engine to Valve, who then modified the fuck out of it to create Half-Life, who then created and published the modification SDK, which was then used by the original volunteer team to create CS, which was eventually picked up by Valve. Similar to the progress of Team Fortress, which started as a Quake 1 modification, then the TF team was picked up by Valve to create Team Fortress 2 based on Half-Life, and who did the Half-Life based Team Fortress Classic, meant mostly as a proof-of-concept for the Half-Life mod SDK.
TheCarmack is a god, but he and the Counter-Strike team are in completely different arenas. TheCarmack and others at Id are generally more interested in doing the infrastructure for games (thus the proliferation of games based on the various Quake engines, while the Id-created games tend to be fairly straight-forward and more or less boring), while the Counter-Strike team is more along the lines of what Legend or Digital Etremes is to Epic, or Raven software is to Id -- they create content (Wheel of Time, Unreal 2, various Quake-based games, etc), while the engine developers (Id, Epic) create the infrastructure. It seems to be a very profitable relationship for both parties, and is highly indicative of the way the game industry is moving -- some companies compete to create infrastructure (a la Windows vs. Linux), while other companies use that infrastructure and compete by making games (a la Microsoft Office vs. OpenOffice).