Vulnerabilities > CVE-2004-0608

The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.

Vulnerable Configurations

Part	Description	Count
Application	Epic_Games Epic Games Unreal Engine 436 Epic Games Unreal Engine 226F Epic Games Unreal Engine 433 Epic Games Unreal Tournament 2003 2199_Macos Epic Games Unreal Tournament 2003 2225_Macos Epic Games Unreal Tournament 2003 2199_Linux Epic Games Unreal Tournament 2003 2199_Win32 Epic Games Unreal Tournament 2003 2225_Win32 Epic Games Unreal Tournament 451B Epic Games Unreal Tournament 2004 Win32 Epic Games Unreal Tournament 2004 Macos	11
Application	Running_With_Scissors Running With Scissors Postal 2 1337	1
Application	Rage_Software Rage Software Mobile Forces 20000.0	1
Application	Ion_Storm ION Storm Deusex 1.112_Fm	1
Application	Infogrames Infogrames Tacticalops 3.4 Infogrames X COM Enforcer *	2
Application	Robert_Jordan Robert Jordan Wheel OF Time 333.0B	1
Application	Arush Arush Devastation 390.0	1
Application	Nerf_Arena_Blast Nerf Arena Blast Nerf Arena Blast 1.2	1
Application	Dreamforge Dreamforge TNN Outdoors PRO Hunter *	1
OS	Gentoo Gentoo Linux 1.4	1

Exploit-Db

description	Unreal Tournament 2004 "Secure" Overflow. CVE-2004-0608. Remote exploit for linux platform
id	EDB-ID:10032
last seen	2016-02-01
modified	2004-07-18
published	2004-07-18
reporter	onetwo
source	https://www.exploit-db.com/download/10032/
title	Unreal Tournament 2004 - "Secure" Overflow

description	Unreal Tournament 2004 "secure" Overflow (Linux). CVE-2004-0608. Remote exploit for linux platform
id	EDB-ID:16848
last seen	2016-02-02
modified	2010-09-20
published	2010-09-20
reporter	metasploit
source	https://www.exploit-db.com/download/16848/
title	Unreal Tournament 2004 - "secure" Overflow Linux

description	Unreal Tournament 2004 "secure" Overflow (Win32). CVE-2004-0608. Remote exploit for windows platform
id	EDB-ID:16693
last seen	2016-02-02
modified	2010-09-20
published	2010-09-20
reporter	metasploit
source	https://www.exploit-db.com/download/16693/
title	Unreal Tournament 2004 - "secure" Overflow Win32

Metasploit

description	This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.
id	MSF:EXPLOIT/LINUX/GAMES/UT2004_SECURE
last seen	2020-06-01
modified	2017-07-24
published	2005-12-26
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0608
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/games/ut2004_secure.rb
title	Unreal Tournament 2004 "secure" Overflow (Linux)

description	This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.
id	MSF:EXPLOIT/WINDOWS/GAMES/UT2004_SECURE
last seen	2020-03-23
modified	2017-07-24
published	2005-12-26
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0608
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/games/ut2004_secure.rb
title	Unreal Tournament 2004 "secure" Overflow (Win32)

Nessus

NASL family	Gain a shell remotely
NASL id	UNREAL_DOS.NASL
description	The remote host was running a game server with the Unreal Engine on it. The game server is vulnerable to a remote attack which allows for arbitrary code execution. Note that Nessus disabled this service while testing for this flaw.
last seen	2020-06-01
modified	2020-06-02
plugin id	12285
published	2004-06-22
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/12285
title	Unreal Engine Secure Query Remote Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12285); script_version("1.18"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_cve_id("CVE-2004-0608"); script_bugtraq_id(10570); script_name(english:"Unreal Engine Secure Query Remote Overflow"); script_summary(english:"Crashes the remote Unreal Engine Game Server"); script_set_attribute(attribute:"synopsis", value: "The remote host has an application that may arbitrary code execution on the remote system."); script_set_attribute(attribute:"description", value: "The remote host was running a game server with the Unreal Engine on it. The game server is vulnerable to a remote attack which allows for arbitrary code execution. Note that Nessus disabled this service while testing for this flaw."); script_set_attribute(attribute:"solution", value:"Epic has released a patch for this issue."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Unreal Tournament 2004 "secure" Overflow (Win32)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/06/22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); exit(0); } include("audit.inc"); port = 7777; if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "UDP"); soc = open_sock_udp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port, "UDP"); init = string("\\status\\"); malpacket = string("\\secure\\", crap(data:"a", length:1024) ); send(socket:soc, data:init); r = recv(socket:soc, length:128); if (r) { send(socket:soc, data:malpacket); r = recv(socket:soc, length:128); if (! r) { security_hole(port:port, proto:"udp"); exit(0); } }

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200407-14.NASL
description	The remote host is affected by the vulnerability described in GLSA-200407-14 (Unreal Tournament 2003/2004: Buffer overflow in
last seen	2020-06-01
modified	2020-06-02
plugin id	14547
published	2004-08-30
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14547
title	GLSA-200407-14 : Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200407-14. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14547); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0608"); script_xref(name:"GLSA", value:"200407-14"); script_name(english:"GLSA-200407-14 : Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200407-14 (Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries) The Unreal-based game servers support a specific type of query called 'secure'. Part of the Gamespy protocol, this query is used to ask if the game server is able to calculate an exact response using a provided string. Luigi Auriemma found that sending a long 'secure' query triggers a buffer overflow in the game server. Impact : By sending a malicious UDP-based 'secure' query, an attacker could execute arbitrary code on the game server. Workaround : Users can avoid this vulnerability by not using Unreal Tournament to host games as a server. All users running a server should upgrade to the latest versions." ); script_set_attribute( attribute:"see_also", value:"http://aluigi.altervista.org/adv/unsecure-adv.txt" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200407-14" ); script_set_attribute( attribute:"solution", value: "All Unreal Tournament users should upgrade to the latest available versions: # emerge sync # emerge -pv '>=games-fps/ut2003-2225-r3' # emerge '>=games-fps/ut2003-2225-r3' # emerge -pv '>=games-server/ut2003-ded-2225-r2' # emerge '>=games-server/ut2003-ded-2225-r2' # emerge -pv '>=games-fps/ut2004-3236' # emerge '>=games-fps/ut2004-3236' # emerge -pv '>=games-fps/ut2004-demo-3120-r4' # emerge '>=games-fps/ut2004-demo-3120-r4'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Unreal Tournament 2004 "secure" Overflow (Win32)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:ut2003"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:ut2003-ded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:ut2004"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:ut2004-demo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"games-fps/ut2004-demo", unaffected:make_list("ge 3120-r4"), vulnerable:make_list("le 3120-r3"))) flag++; if (qpkg_check(package:"games-server/ut2003-ded", unaffected:make_list("ge 2225-r2"), vulnerable:make_list("le 2225-r1"))) flag++; if (qpkg_check(package:"games-fps/ut2003", unaffected:make_list("ge 2225-r3"), vulnerable:make_list("le 2225-r2"))) flag++; if (qpkg_check(package:"games-fps/ut2004", unaffected:make_list("ge 3236"), vulnerable:make_list("lt 3236"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Unreal Tournament 2003/2004"); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/82230/ut2004_secure.rb.txt
id	PACKETSTORM:82230
last seen	2016-12-05
published	2009-10-27
reporter	onetwo
source	https://packetstormsecurity.com/files/82230/Unreal-Tournament-2004-Overflow.html
title	Unreal Tournament 2004 Overflow

Vulnerabilities > CVE-2004-0608 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2004-0608"}]}

Summary