TUCoPS :: Games :: bx3907.htm

Memory corruption and NULL pointer in Unreal Tournament III 1.2
Memory corruption and NULL pointer in Unreal Tournament III 1.2
Memory corruption and NULL pointer in Unreal Tournament III 1.2


                             Luigi Auriemma

Application:  Unreal Tournament III
Versions:     <= 1.2 and 1.3beta4
Platforms:    Windows (tested), Linux, PS3 and Xbox360
Bugs:         A] memory corruption
              B] NULL pointer
Exploitation: remote, versus server
Date:         30 Jul 2008
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


1) Introduction
2) Bugs
3) The Code
4) Fix


==============1) Introduction

Unreal Tournament III is the latest game (2007) of the Unreal series
created by Epic Games (http://www.epicgames.com). 


======2) Bugs
A] memory corruption

UT3 is affected by a problem in the handling of a specific type of
packet. In this particular type of packet there is a 16 bit field which
specifies the size of the data that follows and if this string is
longer than about 172 bytes a memory corruption will occur allowing an
attacker to control various registers which could allow the execution
of malicious code.

B] NULL pointer

If the amount of data about I talked previously is bigger than the
total size of the packet the string will not be read and a NULL pointer
exception will occur.
This type of bug is easily recognizable on the server because the
message "Error: Attempted to multiply free a voice packet" is
displayed before the crash when the malformed packet is received.


==========3) The Code



=====4) Fix

No fix


Luigi Auriemma

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH