####################################################################### Luigi Auriemma Application: Unity http://unity3d.com Versions: <= 2.61 Platforms: Windows, Mac, iPhone and web plugin Bugs: A] server termination B] allocation exception Exploitation: remote, versus server and client Date: 25 Mar 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Unity is a game engine very used for "indie" games. It's network code is a modification of the Raknet library. ####################################################################### ======= 2) Bugs ======= --------------------- A] server termination --------------------- Just like an old bug I found in Raknet in the 2005 (http://aluigi.org/adv/rakzero-adv.txt) Unity is affected by a similar problem too: a packet of zero bytes puts the library in an endless loop that executes ever Sleep(15). Although the game seems to continue to run, it's necessary to kill the process for terminating it. ----------------------- B] allocation exception ----------------------- A particular type of packet can be used to raise an exception in the game engine that will shutdown it immediately. The problem is caused by a loop controlled by the attacker where the engine allocates new memory incrementally for performing some operations and when it's no longer possible to allocate new memory the game terminates with the E06D7363 exception. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip A] udpsz SERVER PORT 0 B] udpsz -p 1234 -C 0900 -D SERVER PORT -1 udpsz -p 1234 -C 02020202020202 SERVER PORT -1 ####################################################################### ====== 4) Fix ====== No fix #######################################################################