Epic Games Unreal Engine Unreal URL目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107185 漏洞类型 路径遍历
发布时间 2003-02-05 更新时间 2003-12-31
CVE编号 CVE-2003-1430 CNNVD-ID CNNVD-200312-157
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/22224
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-157
|漏洞详情
Unreal引擎是一款被很多游戏使用的网络引擎。UnrealURL(unreal://)不正确过滤用户提交的请求,远程攻击者可以利用这个漏洞进行遍历攻击,以WEB进程权限查看系统任意文件内容。由于对攻击者提交的UnrealURL请求缺少充分过滤,可使用目录遍历攻击导致绕过游戏安装目录,以WEB进程权限查看系统任意文件内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/6775/info

It has been reported that a directory traversal vulnerability exists in several games using some versions of the Unreal Engine.

It is possible for attackers to traverse outside of the game's installation directory using directory traversal sequences.

If the attacker refers to specific files it may be possible to cause the vulnerable game client to crash.

unreal://\directory\file
unreal://..\..\directory\file
|参考资料

来源:XF
名称:ut-file-directory-traversal(11299)
链接:http://xforce.iss.net/xforce/xfdb/11299
来源:BID
名称:6775
链接:http://www.securityfocus.com/bid/6775
来源:BUGTRAQ
名称:20030211Re:EpicGamesthreatenstosuesecurityresearchers
链接:http://archives.neohapsis.com/archives/bugtraq/2003-02/0142.html
来源:BUGTRAQ
名称:20030205Unrealengine:resultsofmyresearch
链接:http://archives.neohapsis.com/archives/bugtraq/2003-02/0063.html
来源:NSFOCUS
名称:4356
链接:http://www.nsfocus.net/vulndb/4356