logo
Main

Forums

Downloads

Unreal-Netiquette

Donate for Oldunreal:
Donate

borderline

Links to our wiki:
Wiki

Walkthrough

Links

Tutorials

Unreal Reference

Usermaps

borderline

Contact us:
Submit News
Page Index Toggle Pages: 1 Send TopicPrint
Normal Topic UnrealScript Abuse (Read 579 times)
dustinechoes849
Senior Member
****
Offline


General Protection Fault!

Posts: 348
Location: /home/dustinechoes849/unreal/
Joined: Feb 28th, 2015
Gender: Male
UnrealScript Abuse
May 17th, 2020 at 10:41pm
Print Post  
Hiya! Haven't been in these parts in ages.
Recently, a member of the Unreal community was being bullied on an Unreal Tournament server. Either an admin or the server owner managed to open a porn site on the client's computer.
Although I do not possess the code they were using, they most likely used this function:
Code (Java)
Select All
GetPlayerOwner().ConsoleCommand("start http://www.epicgames.com/");
 


Above is a code snippet from the "About Epic Games" button in the UMenu

This can be, of course changed to any web link. It can be called on a client at a rapid rate, and without their consent.

Here's an example of a server opening a blank web page every tick on all its clients:
https://cdn.discordapp.com/attachments/206653527752179712/711696079552512180/VID...
Rest in peace, media tag
The computer gets slowed to a crawl, the only way to stop it being to close Unreal, which can be a real pain when browser windows are continuously popping up. My laptop's Core 2 Extreme was running full time.

Of course that's not the only command that can be abused. Here's a version that does the following:
  • Switches between fullscreen and windowed mode with the "togglefullscreen" command.
  • Changes the game to an unsupported resolution, with the "setres" command.
  • Plays loud glass breaking sounds.
  • Forces the client to say humiliating things in chat.
  • Changes the game's brightness from 0.1 to 1, causing a potentially seizure-inducing effect.
  • Opens the infamous "yotube.com" phishing site at random intervals, as an example of how it could be used to put malware on a client's machine.
  • Plays music in the web browser, which is incredibly difficult to turn off.
  • Opens a "How to tie a noose" tutorial, as an example of how you can use this in a hurtful way.
  • Maxes out the game's sound and music volumes, as well as lowers the sample rate to 8000Hz.
  • Cranks the GUI mouse sensitivity up to 500, making it unusable with the mouse.
  • Changes the client's name to something mean.
  • Disables frame rate limit for OpenGL (and DX I think, too.)
  • Saves these screwed up settings.
  • Temporarily sets the client's view bob to 10.

The red dot designates commands that are done repeatedly - usually every tick, with some being on a timer or randomized

Note that the "yotube" routine was commented out, because the machine I ran this on is running Windows 7, and I did not want to risk a virus infection.
https://cdn.discordapp.com/attachments/206653527752179712/711696062389289071/VID...
The computer is damn near inoperable here, the only way I managed to escape it was to Alt+F4 and log out.
After running it a few times, it actually managed to corrupt the game's .ini and the game refuses to start now due to a vague graphics error.



That's about it, I just wanted to raise awareness among the 227 developers about this potentially very big security hole.
I would post the source code here, if I knew for sure that some scumbag script kiddie wasn't gonna use it. If you're a 227 dev and want it, just PM me.
  


don't bother trying to message me over AIM, I haven't used that in years lol
I have a Discord, the number thingie is #6413
Back to top
IP Logged
 
[]KAOS[]Casey
Developer Team
Betatester
Offline


nedm

Posts: 3205
Joined: Aug 7th, 2011
Gender: Male
Re: UnrealScript Abuse
Reply #1 - May 18th, 2020 at 3:39am
Print Post  
if you think that's bad wait until you learn about what UT can do. these are non issues compared to UT.
  
Back to top
 
IP Logged
 
Skrilax_CZ
New Member
*
Offline


Oldunreal member

Posts: 5
Joined: May 10th, 2009
Gender: Male
Re: UnrealScript Abuse
Reply #2 - May 19th, 2020 at 12:49am
Print Post  
There are multiple critical security issues present in UT / UT2004.

- Both UT and UT2004 (32-bit Windows) have the ability to install and load custom DLLs on the background without requiring user approval. This typically means you can do literally anything on the client machine if you have malicious intent. Utilized for anti-cheat purposes or for music download in UT2004.
- UT2004: you can upload files back to server through an exploit in webadmin (utilized in ScreenShot sender for UT2004)
- UT2004: Run a custom executable using web browser (as long as you can point it to a webpage on local drive that would launch an executable) - both if which extracted from cache

Other than that, you can do the following directly through UnrealScript:
- Control the player (pass commands through server as if they were typed to console)
- Damage any clientside .ini configurations (and save them), this includes changing name, remapping controls, GUI settings or crashing the client on startup
- Export cached content and install it permanently
- Jumpscare the player
- Open any webpage.
- Lag the player
- Crash the players client

In order to protect yourself from permament changes, you will need to set your System directory as read only whenever you play on servers (i.e. using a separate user etc. or separate system folder).

You WILL need to modify the DLLs (typically "Engine.dll") and to prevent opening web browser. You can do so by hexediting the offending command to some garbage. If you play under a specific user that's not used for anything then set default web browser to some nonsense.
  
Back to top
 
IP Logged
 
[]KAOS[]Casey
Developer Team
Betatester
Offline


nedm

Posts: 3205
Joined: Aug 7th, 2011
Gender: Male
Re: UnrealScript Abuse
Reply #3 - May 19th, 2020 at 4:28am
Print Post  
for U1, really all you need to do is readonly your system folder and you're mostly protected from the more permanent stuff. UT99 is a bust as displayed previously.. ut99 can unpack an executable and run it directly with whatever privileges the ut is running too :^)
  
Back to top
 
IP Logged
 
dustinechoes849
Senior Member
****
Offline


General Protection Fault!

Posts: 348
Location: /home/dustinechoes849/unreal/
Joined: Feb 28th, 2015
Gender: Male
Re: UnrealScript Abuse
Reply #4 - May 20th, 2020 at 12:49pm
Print Post  
Skrilax_CZ wrote on May 19th, 2020 at 12:49am:
There are multiple critical security issues present in UT / UT2004.

- Both UT and UT2004 (32-bit Windows) have the ability to install and load custom DLLs on the background without requiring user approval. This typically means you can do literally anything on the client machine if you have malicious intent. Utilized for anti-cheat purposes or for music download in UT2004.
- UT2004: you can upload files back to server through an exploit in webadmin (utilized in ScreenShot sender for UT2004)
- UT2004: Run a custom executable using web browser (as long as you can point it to a webpage on local drive that would launch an executable) - both if which extracted from cache

Other than that, you can do the following directly through UnrealScript:
- Control the player (pass commands through server as if they were typed to console)
- Damage any clientside .ini configurations (and save them), this includes changing name, remapping controls, GUI settings or crashing the client on startup
- Export cached content and install it permanently
- Jumpscare the player
- Open any webpage.
- Lag the player
- Crash the players client

In order to protect yourself from permament changes, you will need to set your System directory as read only whenever you play on servers (i.e. using a separate user etc. or separate system folder).

You WILL need to modify the DLLs (typically "Engine.dll") and to prevent opening web browser. You can do so by hexediting the offending command to some garbage. If you play under a specific user that's not used for anything then set default web browser to some nonsense.


Damn. I didn't know how bad this was.
  


don't bother trying to message me over AIM, I haven't used that in years lol
I have a Discord, the number thingie is #6413
Back to top
IP Logged
 
BobIsUnreal
God Member
*****
Offline


gonna be dead soon, gg

Posts: 764
Joined: Apr 12th, 2010
Gender: Male
Re: UnrealScript Abuse
Reply #5 - May 20th, 2020 at 5:26pm
Print Post  
should have used this classic webpage as the url like everyone did in the 200's
https://piv.pivpiv.dk/
  

[REM_img]http://i.imgur.com/V3OSsDu.gif.disable[/img]http://i.imgur.com/JOu38Gs.gif
Back to top
IP Logged
 
Page Index Toggle Pages: 1
Send TopicPrint
Bookmarks: del.icio.us Digg Facebook Google Google+ Linked in reddit StumbleUpon Twitter Yahoo