'Unreal' Security Risk

[InfoSec News <isn () c4i org>]

http://www.techtv.com/news/security/story/0,24195,3417248,00.html

By Becky Worley
February 10, 2003
  
Entertaining computer games may no longer be so harmless -- especially 
for your computer. 

PivX Solutions, a computer security firm in Newport Beach, Calif., 
recently disclosed that it has found a slew of vulnerabilities in the 
core software code or "engine" that is used in the Unreal video game. 
PivX says the holes could let an attacker launch a denial-of-service 
attack, crash a gaming server, or even run code on a player's machine. 

Luigi Auriemma, a security researcher for PivX Solutions, discovered 
the holes. 

"These bugs have been around for five years," he says. "They could be 
used by malicious attackers in worms or large-scale attacks that rival 
those of Nimda and Sapphire/Slammer... Really frightful." 

In January, PivX released news of a vulnerability in networking 
protocols that affected many online multiplayer games. That flaw 
affected the connectivity functions of Unreal and Unreal Tournament 
computer games. 

But this latest set of vulnerabilities actually stem from the Unreal 
Engine, the core software code that is licensed out to other 
developers to power the action and graphics of their own games. 

Danger on your disk 

Some of the more popular computer games that PivX claims are affected 
by the Unreal Engine flaw include: 

* "Star Trek: The Next Generation: Klingon Honor Guard"
* "Unreal"
* "The Wheel of Time"
* "Deus Ex"
* "Mobile Forces"
* "Rune"
* "Unreal Tournament"
* "Hired Guns"
* "Navy Seals"
* "TNN Outdoor Pro Hunter"
* "Werewolf"
* "X-Com: Alliance"
* "Adventure Pinball"
* "America's Army"
* "Unreal Tournament 2003"

Four of the games -- Hired Guns, Navy Seals, Werewolf, and X-Com:  
Alliance haven't made it onto store shelves, but PivX says the code
they are built on could be affected by the vulnerabilities if the
games are ever released.

According to its security release, PivX says that playing any of these 
games on a Windows, Linux, or Mac OS platform makes a user vulnerable. 

Possible exploits include the following: 

* Local and remote denial of service.

* Distributed denial of service (flooding remote computers with data 
  packets to freeze it).

* Bounce attacks with spoofed UDP packets. (This is how attackers can 
  flood a server without using all of their bandwidth. It creates a 
  data transfer loop within the targeted computer.)

* Fake players can exclude others on a game server.

* Most importantly, PivX says, the holes could allow the execution of 
  malicious code on a targeted computer.

PivX CEO Geoff Shively called this reporter in November to talk about
the Unreal holes. He asked us not to disclose them until PivX had a
response from Epic Games, which makes the Unreal engine. But PivX now
says Epic won't give it an answer about fixing the holes.

"Epic and its employees are playing 'cat and mouse' with us," Shively 
says. "Software vendors have a tacit obligation to protect their 
customers' security. Unfortunately, many of them don't take this 
responsibility seriously." 

Fixes on the way 

Tim Sweeney, president and chief programmer at Epic Games, says his
company is working on a patch for the server holes.

"Last Wednesday, we produced an Unreal Tournament 2003 patch we've had
in testing that solves all of the reported client-side 'malicious
code' exploits and server exploits," says Sweeney. "We also
immediately made this available to all of the Unreal Engine licensees
for incorporation into their future patches and full game releases."

Sweeney adds that the fixes for the Unreal engine itself is currently
being tested and its release to consumers is "imminent."

Sweeney added that the company isn't used to dealing with such
security issues.

"This incident is the first time Epic Games has been confronted
head-on with a network exploit of this nature. We didn't respond
quickly enough to PivX's initial reports and it's clear that this
event has been a wakeup call," he says. "We're now reviewing our code
for undiscovered exploits, and if we or the community find others,
we'll be jumping on them too."

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.