Warp2Search.net » News » March 2004 » Format String Bug in EpicGames Unreal engine

Security Focus reports that Luigi Auriemma found a bug in Epic's Unreal engine that was reported to EpicGames on 2th September 2003 and still nothing has been done about it! here's some of the games that are effected!

Unreal 1 Unreal II XMP Unreal Tournament Unreal Tournament 2003



Wheel of Time X-com Enforcer XIII Rainbow Six: Raven Shield Devastation DeusEx America's Army

The problem is a format string bug in the Classes management. Each time a client connects to a server it sends the names of the objects it uses (called classes).

If an attacker uses a class name containing format parameters (as %n, %s and so on) he will be able to crash or also to execute malicious code on the remote server.

Format String Bug in EpicGames Unreal engine

vegetto34 Unregistered

#51870 Posted on: 03/11/2004 06:26 PM LOL What an easy to exploit security hole. I might have some fun with this one. "Yea uh... patch in 'two weeks'... "

Devourer Unregistered

#51873 Posted on: 03/11/2004 07:18 PM "was reported to EpicGames on 2th September 2003" That's the longest 2 weeks in history. :P

Chernobyl Member Posts: 65 Joined: 2003-05-03

#51877 Posted on: 03/11/2004 09:25 PM They need to be fined for this sort of conduct, and big fines too. Plain irresponsible!

Warp2Search.net » News » March 2004 » Format String Bug in EpicGames Unreal engine