####################################################################### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com Games: Raven Shield, Deus Ex, Land of the Dead, Postal 2, Rune, Shadow Ops, Unreal 2, Unreal Tournament, Unreal Tournament 2003, WarPath, XIII and possibly other games based on the old versions of the Unreal engine (1, 2) Platforms: Windows, Linux, MacOSX Bug: failed assertion Exploitation: remote, versus server Date: 15 Jul 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ####################################################################### ====== 2) Bug ====== This advisory is only a reference to keep this bug tracked because the affected games are enough old although still played. The engine uses a particular assertion in the ReceivedRawBunch function for handling the data in the incoming packets. Such assertion is "NumInRec<=RELIABLE_BUFFER" and can be exploited though the sending of a number of packets major than RELIABLE_BUFFER (128) using a sequential number different than the expected one. The effect for the games that implement this assertion is their immediate termination, while there are a couple of games (Unreal 1 and SWAT4) that simply report the failed assertion in the console without bad effects. ####################################################################### =========== 3) The Code =========== http://aluigi.org/fakep/unrealfp.zip unrealfp -B 1 SERVER PORT ####################################################################### ====== 4) Fix ====== No fix. #######################################################################