Unreal Security Hole 250
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
Uh oh... (Score:5, Funny)
Re:Uh oh... (Score:2, Funny)
++AC
BFD. You can do the same thing to the 10k CS (Score:4, Insightful)
This should definately get more attention now and in the future. The innocence of the internet is long dead (long live the king [of porn]).
Re:BFD. You can do the same thing to the 10k CS (Score:5, Insightful)
I'd go one step further and suggest games are *less* secure than regular software since the dev team has many more issues to deal with other than regular software, with less time and less operating money, especially for PC games. Console game seem to have a lot more operations cash lying around, but I can't understand why. Likely it's because PC games attract more resourceful people who sell themselves short? Hard to say.
The half-life (pardon the pun) of games is also much less than regular software. The rush to buy a game might last a few months, while in contrast software like Photoshop has a continual demand that is unbending. And Microsoft could release a program with a little flashing textbox and sell a billion copies at $400 a pop. It's sick.
Games are also flukes at times, too. Who would have ever thunk CS would be so damn popular? I remember being on the first servers and we all thought it was cool but we never had a notion it would blow everything else away.
The problem with security for games like CS is that it was passed off by two other companies (id to valve and then to the CS team), so you've got a pretty confusing situation to take grasp of with all that passing of the security buck. I don't think the makers of CS are at all in the same league as John Carmack, but it doesn't seem to matter in the wake of HL/CS sales, does it?
Re:BFD. You can do the same thing to the 10k CS (Score:5, Informative)
For being one of the first CS players, you sure have your timeline screwed up. Id never had anything to do with CS. I assume you mean that Id licensed the Quake 1 engine to Valve, who then modified the fuck out of it to create Half-Life, who then created and published the modification SDK, which was then used by the original volunteer team to create CS, which was eventually picked up by Valve. Similar to the progress of Team Fortress, which started as a Quake 1 modification, then the TF team was picked up by Valve to create Team Fortress 2 based on Half-Life, and who did the Half-Life based Team Fortress Classic, meant mostly as a proof-of-concept for the Half-Life mod SDK.
TheCarmack is a god, but he and the Counter-Strike team are in completely different arenas. TheCarmack and others at Id are generally more interested in doing the infrastructure for games (thus the proliferation of games based on the various Quake engines, while the Id-created games tend to be fairly straight-forward and more or less boring), while the Counter-Strike team is more along the lines of what Legend or Digital Etremes is to Epic, or Raven software is to Id -- they create content (Wheel of Time, Unreal 2, various Quake-based games, etc), while the engine developers (Id, Epic) create the infrastructure. It seems to be a very profitable relationship for both parties, and is highly indicative of the way the game industry is moving -- some companies compete to create infrastructure (a la Windows vs. Linux), while other companies use that infrastructure and compete by making games (a la Microsoft Office vs. OpenOffice).
Re:BFD. You can do the same thing to the 10k CS (Score:2)
Re:BFD. You can do the same thing to the 10k CS (Score:2)
You make good points, but I didn't want to associate Valve as a content creator, as they also did a lot of framework work in the Half-Life engine -- Half-Life is not simply Quake 1 with new graphics and possibly some gameplay additions (like Wheel of Time was to Unreal, or SiN was to Quake 2, or FAKK2 was to Quake 3, etc). In that vein, the Counter-Strike team is similar to (but lesser than) those development houses -- most everything is already there for them in the framework, they just supply some gameplay tweaks and new graphics, and stamp out a game. Lines blur, of course (where does American McGee's Alice fall in the Framework v. Content division? Or what about Deus Ex v. Unreal or Anachronox v. Quake 2?), but there seems to generally be two types of content providers -- those that don't need to highly modify the engine, and those that do. Counter-Strike, TF, WoT, FAKK2, etc (even Daikatana, which is pretty sad considering it took so long to release, yet didn't really add much to the genre) fall into the former category, imho. Half-Life, Deus Ex, Anachronox, Alice, etc fall into the latter.
Modifiable games are cool, because it gives people an entrance into the game development world. However, when game developers are hiring mod developers to create games, you end up with games that many times are little more than modifications (not that this is a bad thing, of course). There are exceptions (Steven Polge, now of Epic, for example -- wrote the first decent bot for Quake, the Reaper Bot, and now does most (all?) of the AI work for Epic's UT franchise; Zoid, of Quake 1 CTF fame and the linux ports of Quake 1/2, now works at Retro Studios, and helped create Metroid Prime; the TeamFortress guys that were hired by Valve to create the vaporware stand-alone TeamFortress 2, etc), but every rule has exceptions.
Re:BFD. You can do the same thing to the 10k CS (Score:5, Informative)
Nope. This is a popular misconception, based on the release dates of Half-Life and Quake 2. Half-Life was based on the Quake 1 codebase, and while they did add functionality that Quake 2 also had (hardware acceleration, though glquake did that too, colored lighting, one or two other things), they did a lot more as well, like skeletal animation. However, at its core, Half-Life was still based on Quake 1. Id Software [idsoftware.com] has said as much (search that page for "Half-Life", you'll come up with "Remember this engine is the foundation for what Valve did with Half-Life, and the software and OpenGL rendering is still as fast as it ever was.").
Re:BFD. You can do the same thing to the 10k CS (Score:2)
Would you believe I was? (different definition of "CS", of course) To be honest, I never really liked Counter-Strike all that much. I really don't like a game where I play for 10 seconds, die, and then wait 5 minutes for everybody else to die. If I wanted that little excitement, I'd rather go autocross my car (spend a day at the track for 3 minutes of track time, yay!).
For my entertainment dollar, TeamFortress has always been the way to go. And not that crap they call "TeamFortress Classic", either, but the original Quake 1 mod (TF around version 2.5 or so was the sweet spot). I mean, really, TFC screwed everything up! The scout was too slow, the hwguy could move while shooting (wtf!), they totally butchered canalzon (Best. Map. EVAR!), etc. But now I'm ranting ... (oh for the glory days of the 24/7 canalzon server, Holy Hand Grenade, playing canalzon with Ramirez, one of the map authors. brings a tear to my eye)
actually probably not in Half-Life (Score:2)
right in the advisory too (Score:3, Interesting)
Re:Uh oh... (Score:3, Funny)
L-L-Ludicrous Kill... (Score:2)
...HOLY SHIT!
Which I suppose is what people would have been saying if a major exploit was ever created/and spread to their machine.
Unreal players discussing the security hole (Score:5, Funny)
NEW MAP!!!!!!!!!!!!!!!!!!1111
GG EVARYBODY
ZEROSTUD IS A CHEATER
YEAH, I
OMFG UR TEH LAMER
SHUTUP, U CAMPING FAG
[FGP]-Killaz-X -0- LAG!
NO LAG U SUX
NO FUCK YOU
I GET 20 PING
U GUYS HERE ABOUT TEH SECURITY THING??!
GG
NEW MAP
LATZ, IM GONNA PLAY CS
FUCK YOU
KILLING SPREE
UR CHEATING
KICK HIM
STFU U LAMR, YUO SUK
VOTE ON NEW MAP
hahahaha (Score:2)
I guess most Unreal tournament players are sub-adults.
Re:Unreal players discussing the security hole (Score:4, Insightful)
Who in the hell thought that it would be good idea to take the most annoying facet of the playing online and then turn it into a game feature?
I nearly cried when the bots started shouting "Ownage!" at each other. You can almost here the numerics in every word.
There's nothing like getting "M-M-Monster Kill"... (Score:2)
Those damn guns are just too fantastic not to use. High rate of fire (when you have two), good accuracy, no splash damage to yourself in a fire fight, pretty dangerous if you can keep your cross hairs on your opponent's head.
Lobbing the Gravity Vortex or flying a Redeemer missile into a large bunch of players to get the M-Kill seems like cheating!
oh, and to address the actual topic... (Score:3, Funny)
Worms, security holes, f'ing smiley face proxy mines, Microsoft: bad
mmmkay?
Links (Score:5, Informative)
Re:Links (Score:5, Informative)
Re:Links (Score:5, Funny)
I heard of Blues Clues, but Blue's news?
To play Blues News you have to find a bug
Stick it in your notebook and describe the hole you've dug
Find another pawprint, thats the second bug
Stick it in your notebook and go catch the cyber-thug
Find the last pawprint, thats the third bug
Stick it in your notebook, get your coffee mug
Sit down in the thinking chair and think, think think.
Cos when we use our minds take a step at a time you can dooo anything, and on billable hours too.
Re:Links (Score:2)
Perhaps if you did not spend your life in front of a computer screen eating soggy potato chips and warm cans of coke and had actually sung the song and danced around instead you might not write posts like Oscar The Grouch.
Re:Links (Score:2)
Re:Links (Score:2)
It was original geek humor.
Blues Clues is written for my two year old. My version of the song was somewhat different.
Re:Links (Score:2)
Seriously, you actually sang the song and danced around? If that's what it takes to get into the "up-with-people" club I guess I would rather eat the soggy potato chips and drink the warm cans of Coke than admit to that fact. Hell, I'd even rather drink warm cans of Sam's Club Diet Cola, and that stuff tastes like ass even when chilled.
I'm half tempted to try to post something that points out that your name is sort of like "Seinfeld"....
Did you know your name is sort of like Seinfeld? But with a "Z"? When you called me a grouch, didn't you really mean "zoup nazi?" Zlashdot's sort of like a site about nothing, isn't it. Not that there's anything wrong with that.
...but that would be totally obvious.
Re:Links (Score:2)
No, I am following the example of the Bush Whitehouse, telling people to act as I say, not as I do.
I'm half tempted to try to post something that points out that your name is sort of like "Seinfeld"....
Oh I get it, smoketoomuch, so you better cut down a bit.
Anyway, have to go, my two year old is having problems with his Linux partition. I think he might have just deleted vmunix from the root directory.
Re:Links (Score:2)
Re:Links (Score:2)
Sometimes
wow (Score:3, Funny)
Re:wow (Score:2)
Yah time.com too.
Yadda (Score:5, Informative)
Well no shit.
So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?
It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.
Re:Yadda (Score:2, Informative)
The problem is that Unreal, Quake, etc. aren't that efficient at sending big files when you have to "autodownload" a level. Effectively this slows down the connection for the server and makes the client have to sit at their coomputer for a long time and wait for a new map to download. Usually by the time that map has downloaded you've missed that whole round and end up downloading a brand new map again.
It's a lot easier to download stuff from Fileplanet (ick...waiting in line for a file) or elsewhere: it's faster and easier in the long run
Re:Yadda (Score:5, Informative)
Re:Yadda (Score:2)
Re:Yadda (Score:4, Informative)
I play a lot of Return to Castle Wolfenstein, and every time I try to download some new map from a server hosting that map, it CRAWLS at like 2k/sec. This is on a attbi.com cable modem where I just downloaded mozilla 1.21 at 120 KB/sec.
For some reason, the server just won't open a fat pipe to you so you can download one map that everybody else has. It's probably a feature more than a bug. And the thing in Unreal Tournament 2k3 is an even better feature. I was playing this game at a friend's house and I went to some server with a map he didn't have -- lo and behold it connected me to some ftp site and I had the thing in seconds. The same thing would have taken at least 5 minutes in RtCW.
I guess the downside is -- who know's whats REALLY on that FTP site (or server hosting the map in the first place)?? Well, use antivirus, don't be an idiot, back up important stuff on a floppy. If a bug in UT2k3 is what makes you do this stuff, then you are very very lucky that this is the worst brush with disaster you've had.
Oh, and you're probably a n00b, too!
Re:Yadda (Score:3, Informative)
Re:Yadda (Score:2)
Now, UT's solution for file transfers is to allow webserver redirection. It can be a webserver on the same host, but doesn't have to be. In fact, it is often better if it isn't. A T1 line is sufficient to serve up a deceantly sized game provided client rates are clamped to 5000-10000, but that leaves litte exra bandwidth for downloads. Redirecting to a public server that has the files and more bandwidth is a better solution.
The compression is Unreal specific, it does not use any kind of compression simply because the game must have teh aility to decompress teh files to do any good. They developed a compression that work very well on their file formats. The game will download the compressed file, and tehn automatically decompress and use it.
I am not here to argue with you how you think it SHOULD be, I am telling you how it is. The fact of the matter is that if UT streams the files through the connection to teh client, they are uncompressed and stream at the client's requested data rate, or teh server's maximum rate, whichever is less. If you desire faster transfers and/or compressed files you MUST redirect to a webserver.
Watch out! (Score:5, Funny)
Slammer_Worm is on rampage!
Slammer_Worm is dominating!
Slammer_Worm is unstoppable!
Slammer_Worm is Godlike!!!
Let's not overreact here... (Score:5, Insightful)
The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...
Of course, it'd still suck to get fucked over by this security flaw (just like all the others).
Re:Let's not overreact here... (Score:4, Insightful)
The hole can be used to launch a DDOS attack. Over the last 5 years, there have been tons of games built on the Unreal engine. I haven't seen specific numbers, but the number of Unreal servers and the number of SQLServers out there in the wild is probably comparable. University students running Unreal servers have big pipes.
Games use UDP extensively. Slammer used UDP.
There are about 15 different games that need patching. How many of those servers will get patched after it is released? There was a patch for Slammer before it hit.
Re:Let's not overreact here... (Score:4, Insightful)
I would guess that all of the games get patched. Unlike databases, games are not compatible between versions. When game patches come out, nobody can play unless they have the same patch level. This forces everyone to upgrade or not play.
Re:Let's not overreact here... (Score:2)
Re:Let's not overreact here... (Score:2)
There's often good reason for this. Many times there are customisations that couldn't easily or efficiently be done by just 'adding a DLL' to the Unreal (or whatever) engine. Actually modifying the code to do what you need is quite often faster than adding a plugin-style hook in the form of a DLL in some pre-determined place that the engine designers designated. And with games, every little speed gain counts...
Games are, inherently, vulnerable to this type of attack. It's difficult to stop this without it having been a concern at design time... if you don't design with security in mind, it's very difficult to bolt it on later. Games usually concentrate on frame-rate, features, polygons-per-second or whatever other things will help the game to sell. I doubt that "secure" is a feature that pushes many gamers to purchase one game over another, so naturally (by the way the market works) security is not of top priority in the games that sell.
Re:Let's not overreact here... (Score:2)
Uh... wrong on both counts.
I have my UT2k3 patched to the current level, but I can still play on original, unpatched servers -- although I doubt any client running the original code can connect to a patched server. The UT2k3 team seems to be better about this than id Software and Q3, where if you don't have the same patch level as the server, well, too damn bad.
Databases often require the same -- in Oracle there is a COMPATABILITY parameter in the init files. You can set it to various versions to ensure compatability to an old version of the client or ODBC drivers. Set it to a higher version though, and the old clients won't connect.
Re:Let's not overreact here... (Score:2)
, does UT usually run as root/in the System security context?
Re:Let's not overreact here... (Score:5, Funny)
Re:Let's not overreact here... (Score:2, Informative)
There are 2 kinds of people (doing that stuff)
1. The true hackers/phreakers/whatever they are called - They write programs to show off and put light on a big issue.
2. Script kiddies - They are the ones who just copies off what those from the 1. group did and are those who once in a while knocks big systems down.
The reason why game servers doesnt get knocked down so often (once in a while someone drops off a few) is its usually script kiddies doing havoc - And when they are bored doing drag n drooling in that shiney i-face those from the first group made they'll go back to gaming. At least they'd figured out that knocking over something they are going to use isn't all that smart...
By the way - Shouldnt people be looking into why the slammer was realeased in stead of just saying "Yeah Im an ultra cool sysadmin I figured out ALLL LLL by me self to close that port". It had no payload, no real use - and in fact 2 bugs afaik. How many of you out there has started an investigation to how the fuck that little sucker got on your network in the first place? Any of you actually went over your "trusted" sites and thought of fixing holes? I think the slammer was an experiment that accidentically got released before it was done.
Re:Let's not overreact here... (Score:4, Insightful)
The same packet flood coming from ANYWHERE would have the same effect. The issue is the number of vulnerable hosts out there. If the number is high enough, the danger is real.
Re:Let's not overreact here... (Score:2)
That may be the case, but how many employees run the clients on their employers' networks? Quite a few, I'd wager. Each of those clients is a potential entry point for an intruder to exploit and do who-knows-what.
Expect to see security officers/network admins clamping down harshly on folks running "unapproved" applications, such as games. Yes, even on the techies. I've been suspicious of multi-player network games for some time, and this event confirms my concerns.
My only hope is that the blackhat community haven't been aware of this for the year or more that some security researchers have been. I'm not optimistic though. This also demonstrates why full disclosure is important - if those security researchers had disclosed when they found out, people could have abandoned Unreal-based games until a fix was released, as opposed to continuing to run dangerous client software and leaving themselves exposed without even knowing it.
--
Bugtrak Post (Score:5, Informative)
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.
The press release:
http://www.pivx.com/press_releases/ueng
The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.t
Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.
We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.
On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?
On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:
"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story
I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.
In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.
I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng
Epic Rebuttal (Score:4, Informative)
Thor,
I have sent your company an apology for those completely unfortunate
comments that I sincerely regret. We did provide an official statement
and I was not, at the time, aware that my verbal reaction, in a moment of
shock and surprise, was being captured for the article.
The comment was a complete over-reaction to seeing the list of games
including future games that have not yet been published. It had nothing
to do with the security issues themselves, the validity of the report, or
the way Pivx presented it to us. Pivx gave us more than fair enough
warning of the bugs and we simply failed to fix them in the allotted
time. We released a statement last week to the Unreal community
indicating that "we fucked up" in not addressing these concerns within
the given time and that we were already testing a patch with the security
issues corrected. In addition the official statement we gave pointed out
that we were fixing the holes and that the Pivx report was fair and
accurate. Licensees were already provided with the source code for the
security fixes.
Again this was a moment-of-stupidity reaction and I sincerely apologize
to Pivx and the entire security community. Epic has already stated that
we will take these matters far more seriously in the future.
Mark Rein,
Epic Games Inc.
Visit us at http://www.epicgames.com
$250/hr to play games? (Score:5, Funny)
No, let's not let the lawyers get involved. THey make enough per hour as it is - we don't need to pay anyone $250/hr to play Unreal Tournament for "case notes."
Wait.. then again, lawyers in Unreal Tournament games. Hrm. It could be an all-out fragfest on a level that nobody could have ever imagined before. I like that idea!
Re:$250/hr to play games? (Score:5, Funny)
Re:$250/hr to play games? (Score:2)
I really like Rein's comment (Score:5, Funny)
I get the feeling that I'll be in my cold, cold grave before Microsoft starts releasing statements like this
But seriously, it's nice to see a large company admitting it has "F***ed up".
Re:I really like Rein's comment (Score:3, Insightful)
40% of UT2003 servers run on Linux. Basically, on a site like Slashdot, that makes them immune to criticism. No offense, but this is all pretty hypocritical (and mod me down to redundant if you like, as this has been said before in a hundred other threads).
Re:I really like Rein's comment (Score:2)
I realize you are just a little troll who was modded up by a confused moderator, but your post did fill me with a bit of nostalgia which, in turn, inspired me to do a little searching. So, here we are:
Can you imagine how much more vehemently people would jump on Microsoft if they said something like that?
Unfortunately, I can't find much info about how Microsoft responded to their first vulnerability, but, if this account of their reaction to a subsequent problem (from the RISKS-FORUM Digest Saturday, 7 Dec 1985 Volume 1: Issue 27 [ncl.ac.uk]) is any indication, I'd have to assume that it was at least as bad as Epic's first response was. You are probably right: if /. had been around back then, Microsoft would have been in for yet-another-undeserved tongue-lashing over this!
[BTW, I dunno why the author went on about worms and viruses in connection with nonreplicating malicious code... I guess it was in the spirit of their special "worms and viruses issue"? True, the whole purpose of the risks forum was to discuss risks, and the current problem was being used to illustrate the potential for worse problems. But, still, to call it a worm in all caps...]
Here's a post [google.com] that included the original Washington Times column, for anyone else who found the hyperbole of the above article a bit too much.
Re:I really like Rein's comment (Score:5, Funny)
I thought it was unreal?
Re:I really like Rein's comment (Score:3, Informative)
Epic is not a large company by any means. Certainly not in comparison to the Microsofts, Suns, and IBMs of the world, and not even within their own gaming market -- they're positively dwarfed by the big guys like EA, Acclaim, Infogrames/GT Interactive/Atari/whatever they're calling themselves now, etc. No, Epic is what a game development company should be -- small, dedicated, and highly focused on one thing at a time, similar to Id (which is also an extremely tiny company, as these things are measured).
However, it's great to see these relatively small companies having so much influence in a market. Id and Epic literally own the FPS market, considering there are very few shooters that don't use technology from one or the other.
Not just unreal... (Score:3, Insightful)
Just because your favorite (or even least favorite) app hasn't had a major hole found in it that doesn't mean it isn't there. You might be running a time-bomb on even the most secure of your systems and not even be aware.
Of course this is all obvious to anybody who has been online for a while.
Philosophy… (Score:5, Interesting)
It's unfortunate, but... (Score:3, Funny)
Four words... (Score:5, Interesting)
He admitted that they screwed up. (or fucked up, as the case may be.) He lost it when pivx when public. Then he apologised for losing it, and admitted that pivx was entirely in the right.
This is about as much news as the bug itself. Not much.
Re:Four words... (Score:2, Informative)
Re:Four words... (Score:2)
On the other hand, I'd like to see someone squeeze an apology out of John Romero.
Aha! (Score:5, Funny)
Re:Aha! (Score:2)
Unreal Security Hole (Score:3, Funny)
Um...oh. never mind.
Movie Idea (Score:4, Funny)
Re:Movie Idea (Score:5, Funny)
Yeah it was with that chick from that other movie about a bus that had to speed around
a city, keeping its speed over fifty, and if it's speed dropped, it would explode!
I think it was called The bus that couldn't slow down.
Like the Slapper Worm? (Score:3, Interesting)
So... this is the sound of a thousand gamers... (Score:4, Funny)
Just when me and my friends were putting the finishing touches of our college residence Unrealy Tourny level
Patch it! Patch it quick, I have to snipe! A day without "M-mmmonster KILL" ringing in my ears, is a day not worth waking up for.
Convenient Too! (Score:5, Interesting)
No port scanning any IP ranges to determine what services available is needed.
That's like Microsoft providing a web page showing which IIS servers are still affected by code red and showing their IP's.
Re:Convenient Too! (Score:5, Funny)
Given how well they did with patching their network over Slammer, I think the list would start with:
127.0.0.1
*Unreal* Security Hole.... (Score:3, Funny)
Dear slashers, please forgive epic (Score:5, Interesting)
(dum bum bum)
Joking aside, from personal experience I say we're all doomed to open mouth insert foot once in a while, and Marc Rein is no exception. Before you disagree with me or mod me down, let me remind you all of what a *ASSET* epic has been to the gaming community.
Unreal is cross platform, no waiting, it was there pretty much day 1. You can play UT2003 on win or lin.
In regards to my future business, epic has THE BEST licensing compared to EA, Valve, Activision and blizzard, their license is basically "You buy it retail, go ahead and load it on your rental computer" The afformentioned companies want indefinite license fee's and Epic doesn't.
Despite home PC gaming being the best, I know the gamehouse community will grow because not everyone can afford 50 P4 3ghz with hyperthreading. As long as the gamehouses keep their technology ahead the the "home curve" they will become a dominating force for showcasing games, a marketing tool if you will. Epic understands this and wants to see this happen.
Epic has been good to the gaming community, and since Marc was grown up enough to apoligize, we should be grown up enough to forgive him.
Sorry I can't stop talking about the gamehouse thing....Since I know some dev's (Even Carmack at ID) read slash, hopefully if I get modded up enough they'll read this.
To: EA, Valve, Activision and blizzard
Your indefinite contracts suck. Gamehouses are Synonymous with arcades with one vital difference... You do not provide the actual hardware. The owner of the facility provides hardware at a HUGE cost. Try pricing a gamehouse built on Dells sometime and see, the monthly cost of lease / and or buy is crazy. Don't be cheap about it either, price all top of the line and see what you come up with.
The thing you guys don't see is that gamehouse could be the new retail outlet for your games. Licensing shmicening, send me a box of your product to sell on consignment, and I GUARANTEE I would sell out those boxes faster than any single fry's or compusa store. Just find 1 gamehouse to TRY it with as an experiment, see if you sell more.
Re:Dear slashers, please forgive epic (Score:2)
You can get a 1.73 GHz Athlon XP 2100+ (all you need for a gamehouse) with a 30 gig hard drive (you're not storing MP3s or movies, just saving games to disk, you can save 28 full 1 gig games with that much space), GeForce 4 Ti4600 (not top of the line but this is buying in bulk you're not
Athlon XP 2100+ with motherboard, $118
30 Gig hard drive, $49
GeForce 4 Ti4600 $209
Cheap 52X CD-ROM Drive $17
10/100 Ethernet card $5
Some Creative Labs card (just gonna have headphones anyway) $10
19" (18 viewable) monitor, max res 1600x1200 @75Hz $160
Case with 400W PSU $20
Logitech Mouseman Dual Optical $30
Generic Keyboard $10
These prices are from pricewatch.com so they're not random numbers I made up.
No floppy needed (you buy just one for the gamehouse and if you ever need it just put it in a computer)
Total: $628
If you set a $1,000 limit you have $372 left over to do whatever upgrades you want (larger monitor, better video card, faster processor, none of these are needed though and the computer will be able to play all games very nicely in a decent resolution for a year before you should upgrade again, and the upgrade will be just that, you would only need a better video card and faster processor.
$18,840 for 30 computers, less since you're buying in bulk, then the rental of the building, not much a couple hundred a month, some pretty fast SDSL connection like $200 a month. Another $5,000 for a great server from dell ($2,500 if you build it yourself, my friend does game hosting these are actual prices he spends on computers that can host 10 games at one time lag free even when they're full.) You don't need any 3 GHz P4s straight from dell anyway, I know this because I'm really getting a gamehouse and I did alot of research into it (including pricing, my original PC price was about $20,000 for 25. You make alot of money selling computers, hardware, software and stuff like that. If it was really insanely expensive to get computers do you think any of these places would still be in buisiness? If they're buying dells and not building their own and selling them too then they deserve to lose money, not EA's fault that you've got stupid management.
And what are you talking about with retail games? These places are fully able to sell retail games, who says you can't have a store that sells video games and doubles as a gamehouse? Your "idea" to "let" these places sell video games is kind of umm stupid. It's already happening, but here's an even better idea, we should make stores in the Mall, maybe call them like Game Stop or Electronics Botique or something trendy like that, and these places can sell video games and stuff. It'd be so cool since most people do their shopping in the mall, these places would make tons of money! Man I hope those game developers are reading this my idea is revolutionary!
Re:Dear slashers, please forgive epic (Score:2)
If he's setting up a game house, he's not going to go with anything even close to your specs... because he has to offer something better than what most people will have, including most gamers.
That means a P4 3 GHz, a Radeon 9700 Pro, a gig of memory (which you forgot to price at all - that PC isn't going to do much with no memory), and XP (which you also forgot to price).
These prices are from pricewatch.com so they're not random numbers I made up
You may as well have. Nobody that has a clue buys stuff from the lowest priced vendor on Pricewatch. All you'll get is shitty vendors selling shitty equipment. Go someplace like Newegg, Monarch, or Mwave (or a local shop) and single source everything. You'll pay a bit more, but you'll get equipment that's not been RMA'd three times already, you'll have a company that actually takes returns, ships on a timely basis, and essentially doesn't jack around.
I'd agree on not buying Dells (gack), and the various other bits, but it still isn't as cheap as you suggest if you want top of the line rigs.
As far as selling games -- yes, he can sell them... but he needs to get an in with a distributor, otherwise he has to buy them at retail to sell them at above retail. Ditto for the computer equipment (although buying from someplace like Newegg and then selling at retail will give you a decent cushion by itself).
TechTV re-wrote their story (Score:4, Informative)
Kudos, however, to Epic for later retracting it.
Re:TechTV re-wrote their story (Score:2)
pwned! (Score:2, Funny)
Imagine (Score:3, Funny)
Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created.
I wouldn't mind seeing which bank used unreal servers in their ATMs :)
It just goes to show you.... (Score:2)
Dolemite
Damn, and I just thought it was RedHat... (Score:3, Insightful)
One day my network went to crap, and I found that the switch had been overloaded with bogus MAC addresses. Turns out someone had hacked the Unreal Tournament box and put a very nasty packet sniffer on it. (Thank the gods for ssh.)
I had always assumed it was just the default state of a RedHat 6 box that had been easily cracked.
-Chris
Could work for Kazaa, against RIAA (Score:5, Funny)
Sounds like a reflection attack... (Score:3, Insightful)
- Distributed denial of service (flooding remote computers with data packets to freeze it).
- Bounce attacks with spoofed UDP packets
This bit sounds an awful lot like the GameSpy reflection attack [lemuria.org]: you send them a forged UDP packet asking for some resource, they send out 400 times as much data to the poor bloke whose IP you put on it. Rinse, lather, repeat and you have yourself a pretty big DRDOS (not the guys MS killed, rather a Distributed Reflection Denial Of Service).
chroot + firewall? (Score:3, Insightful)
If you really want to be paranoid, you can run a server inside a User Mode Linux VM which is only a little slower than a real box (only the system calls are emulated, not the instructions) and iptables on all IP connections into and out of the box.
It wouldn't solve every problem, but it would reduce the ill-effects of most worms.
Customer service as a last resort (Score:2)
Rather like those investigative shows on TV which examine cases of customers getting raw deals, often for years, from vendors/shops/etc. But when the journos arrive, they're all smiles and terribly-sorry-we'll-make-it-all-better, paying off that one customer and still ignoring the many who are still being screwed the same way.
Why does it have to get to the stage of negative publicity before firms get a clue about customer service? Commercial reasons, obviously - customer care is overhead - but it's still sad.
Xploit this bug to run Linux on a unchiped xbox ? (Score:3, Interesting)
As far as I know Xbox games are running at Ring 0 for speed reasons, so it should be possible to get complete control over the xbox and run Linux or other code without a modchip. Other networked games could have similiar problems, so that scheme could work with other networked games too.
Yet another link . . . . (Score:2)
Figure I'd toss in my 1/50 of a Euro at current exchange rates.
Old, very, very old news (Score:2)
Released: January 16, 2002
Version: All up to current.
Bug: Server status port replies to spoofed UDP packets
with large amount of data.
Affected Games:
Quake
Quake 2
Q3: Arena
Half-Life
Counter-Strike
Sin
Soldier of Fortune
Daikatana
Unreal Tourn.
Quakeworld
Unreal
Rune
Gore
Tribes
T
Serious Sam
Serious Sam 2
CC: Renegade
Global Operations
Jedi Knight 2
Battlefield 1942
America's Army
Unreal Tournament 2003
Return to Castle Wolfenstein
Medal of Honour Allied Assault
SoF2 Double Helix
SoF2 Double Helix Demo
Alien vs Predator 2
NeverWinter Nights
V8 Supercar Challenge
UDP is a connectionless protocol of which the source ip and port can easily be spoofed. If you've read the introduction, you can probably
see where I'm going with this.
The BF1942 status port will reply an amazing amount of requests, and although I have only personally tested this to 50 kbytes/sec, I
dont see any reason why you couldn't go even higher.
When these requests are received, the reply is sent to the source host which, in this case, we have spoofed. This causes a huge packet flood
to your victim, therefore you now have your DoS.
When tested, a single upstream of 4 k/s to the BF1942 server yielded over 550 k/s being sent to the victim host. When the victim's host
receives these packets on a UDP port which is open (commonly found to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that connection will be flooded. If you sent to an unreachable port on the victim's host, the victim's stack will respond with "Unreachable"
responses which will also flood their upstream.
A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer. To stop this DoS from reaching the victim, the port you specify would have to be blocked before reaching their system. Ports you would find particularly useless would be ones that are commonly blocked by ISPs before reaching the customers: (139/NetBIOS, and so on). A firewall will only prevent the victim from responding with ICMP Unreachable packets.
* Packets can be sent steadily, no wait time needed for refresh.
This is an attack that can easily flood any system slower than the game server, and do it anonymously because the UDP packet source is spoofed to that of the victim. This is very similar to the "smurf" attack that was used in the late 20th century. =)
The attack does not only affect the bandwidth of the host and the victim, but it also tends to eat up a nice chunk of memory and CPU power on the server.
This low amount of required upstream would allow a simple modem user to send a hefty DoS to a T1 or higher.
Due to the fact that Battlefield 1942 servers tend to require a lot of bandwidth to operate, you are very likely to find that nearly any server will have more than enough bandwidth to handle the task. EA has many of their servers hosted on OC3 lines.
In many ways, this exceeds the severity of the smurf attack method.
Example theory of risk:
T1 (1.54 mbps) FULL DoS:
1 server needed @ ~220 k/s or more (a 20 player server will do).
1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)
A single user dialed up at 14,400 bps can topple a T1.
A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.
Worst of all Proof-of-concept code is at the wild =/
Defeating Spoofing (Score:2)
If all ISPs actively put in anti-spoofing filters on all their routers then this type of denial of service attack could be greatly reduced as blackhats would only be able to spoof IPs & UDP services to their own segments.
But no, most ISPs probably take a router out of the box, type a few commands and take it into production.
Re:Games are worse than drugs. (Score:5, Funny)
When you play CS, you're supporting terrorists!
Re:Games are worse than drugs. (Score:2, Funny)
A Generation Already Wasted (Score:5, Funny)
Frankly, if you're someone who routinely writes "ppl" in place of "people" you're already demonstrating such severe degeneration of health/brain that you may already be a lost cause.
Sooo...what I wanted to say is that I hope that someone f**k the game-servers up so badly that these trapped gamerz can see what life has to offer!
Might I suggest you take some of the same advice you give to these "gamerz" and check out what life has to offer. It appears to be passing you by.
Re:At least they're being frank... (Score:5, Informative)
And you get modded as insightful... oh well.
Re:At least they're being frank... (Score:2)
It's called context. When Epic found out, they assigned a programmer to it. That guy screwed up. However, Epic isn't afraid of critiquing their own performance. Ever since the security error was widely publicized (about a week ago), Epic has been nothing less than forthcoming about the magnitude of the error.
It's a very understandable situation, one that's happened before even to good companies. They didn't try to cover it up, or call it a feature. They've just been working their pants off trying to get out a patch that fixes the problem w/o causing even more havoc.
Re:At least they're being frank... (Score:2, Funny)
Re:All the server's will be fixed in a jiffy. (Score:2, Interesting)
You've got a good point here. The problem with worms like Code Red and Nimda is, the patches have been available for months, but the server admins are simply incompetent, and haven't installed them (still!). In many cases, there is no "admin"; the owner of the business paid some paper-MCSE to set it up a long time ago, and they'd have to pay somebody to come back and do maintenance.
This won't be a major issue with an Unreal exploit. Since there is no ppatch yet, it may take awhile for all the servers to get patched, but they will get patched.
I got another Code Red hit today:
Re:Fix already released (Score:4, Insightful)
You, clearly, do not run a dedicated Unreal Tournament server. Or maybe you thought the occasional "runaway-process" that eats all your memory and disk-space before crashing was just a random benign bug?
I had to run ucc-bin in an unprivledged environment and put "ulimit" guard rails around it on my linux server to keep it from taking the OS with it when it was attacked. Now it's just the game that crashes.
And then, when I had a cron job to detect and bring the server back up- some very unscrupulous players would use the crash-and-restart "feature" to kick other players off the server and have their friends rejoin.
So- now when some id10t crashes the server, it stays down for up to 4 hours. That way the skr1pt k1dd13s get bored and go f--- up someone elses server.
No, I'd say it's been abused. Any dedicated server operator has known about these holes for years. It's nice to see it get acknowledged. There isn't an original UT patch yet. Now let's just hope there's a patch BEFORE there's a whole new slew of exploits.
- PM