cbcvebase.
CVE-2004-0608
published 2004-12-06

CVE-2004-0608: The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier…

PriorityP359critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.54%
99.4th percentile
The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.

Affected

19 ranges
VendorProductVersion rangeFixed in
arushdevastation
epic_gamesunreal_engine
epic_gamesunreal_engine
epic_gamesunreal_engine
epic_gamesunreal_tournament
epic_gamesunreal_tournament_2003
epic_gamesunreal_tournament_2003
epic_gamesunreal_tournament_2003
epic_gamesunreal_tournament_2003
epic_gamesunreal_tournament_2003
epic_gamesunreal_tournament_2004
epic_gamesunreal_tournament_2004
gentoolinux
infogramestacticalops
ion_stormdeusex
nerf_arena_blastnerf_arena_blast
rage_softwaremobile_forces
robert_jordanwheel_of_time
running_with_scissorspostal_2

Detection & IOCsextracted from sources · hover to see the quote

port7787/UDP
command\secure\
command\basic\
  • Exploit requires only a single UDP packet to port 7787 containing a '\secure\' query prefix with an oversized value; monitor for oversized UDP packets to this port beginning with the '\secure\' token.
  • The exploit packet can be spoofed or sent to a broadcast address, making source IP filtering unreliable; focus detection on payload content (\secure\ prefix + large buffer) rather than source address.
  • Vulnerable UT2004 build versions are 3120, 3186, and 3204; detect via GameSpy \basic\ query response parsing the \gamever\ field to identify unpatched servers (patched version is 3236+).
  • Bad characters in payload are \x5c and \x00; any IDS signature for this exploit should account for these bytes being absent from the shellcode portion of the UDP payload.
  • On Linux targets, the exploit embeds a LEA/JMP gadget (\x8d\x64\x24\x0c\xff\xe4) at offset 48 within the NOP-sled buffer; presence of this byte sequence in a UDP payload to port 7787 is a strong indicator of exploitation.
  • ·The GameSpy query port defaults to 7787 UDP but can be manually reconfigured; ensure monitoring covers non-default ports if the server is deployed with a custom query port.
  • ·The RunServer.sh script auto-restarts the server after a crash, enabling brute-force exploitation; repeated server crashes on the game server process should be treated as an active exploitation indicator.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.