Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Unreal Engine Heap Overflow, RBOT.CC, ISCAlert

Published: 2004-06-22
Last Updated: 2004-06-22 23:53:01 UTC
by Tom Liston (Version: 1)
0 comment(s)
Unreal Engine Heap Overflow:

A heap overflow has been found in the Unreal Engine that is exploitable against machines running many Unreal based games in server mode. Although we have no reports of exploits being used in the wild, it is believed that exploiting this vulnerability to remotely execute code is possible. We recommend that anyone serving one of the vulnerable games based on the Unreal Engine install patches as soon as they become available. Until patches are available, the only secure recourse is to block all UDP traffic to ports 7777 and 7787 (which will, effectively, keep you from acting as a game server). Limiting access to ports 7777 and 7787 to known IPs is not an effective defense because this is a UDP based attack and packets can be spoofed.

RBOT.CC ?Very Evil

A reader forwarded us the source code for rbot.cc for our malware analysis team to analyze. While we haven?t had a chance to fully dissect the code, it?s pretty obvious that this thing is very, very evil. In addition to the information presented in yesterday?s diary, it appears that it can be compiled with the ability to exploit many of the backdoors left behind by email worms such as MyDoom and Bagle, as well as carrying exploit code for exploiting holes in Dameware and weak MSSQL passwords.

Another plug for ISCAlert

ISCAlert is a small information application that sits in your systray and keeps you informed of the Infocon status here at the ISC. The download is only 13kb and contains the 6k ISCAlert.exe application and a .pdf file explaining its use. You can download ISCAlert.zip from:

http://www.labreatechnologies.com/ISCAlert.zip">http://www.labreatechnologies.com/ISCAlert.zip

-----------------------------------------------

Handler on duty: Tom Liston ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)
Diary Archives