=======================================================
Unreal Tournament server exploits patched in XC_Engine:

*** StaticLoadObject bug
https://www.exploit-db.com/exploits/23799/
Affects DynamicLoadObject and client join.
By adding %n to a load command the game will crash.
PATCHED:
- Using ReplaceFunction to replace Object.DynamicLoadObject native with XC_Core.DynamicLoadObject_Fix
- Using ReplaceFunction to replace GameInfo.PreLogin with XC_Engine_GameInfo.PreLogin_Org
See XC_Engine_GameInfo.CheckPreLogins for more info.


*** Reliable Buffer overflow
http://aluigi.altervista.org/adv/unreliable-adv.txt
Forces a server shutdown.
PATCHED (win32)
- Undisclosed
WORKAROUND (linux)
- Remove Engine.ChannelDownload from the net driver's download managers.


*** "secure" query buffer overflow
http://aluigi.altervista.org/adv/unsecure-adv.txt
Sending a secure query with more than 6 characters will lead to program undefined behaviour.
PATCHED:
- Using ReplaceFunction to replace InternetLink.Validate with XC_UdpServerQuery.Validate (XC_IpServerFix).
The original Validate function is backed up in XC_UdpServerQuery.Validate_Org and called after the
replacement performs a security check on the string parameter.


*** ICMP port unreachable.
Each packet stops the server's net driver packet query loop and delays it to next tick.
Sending enough packets can increase server lags until the server's TCP buffer is filled.
The most noticeable synthom is all player's latency spiking to 6000 and the server being
unable to take incoming connections.
PATCHED:
- Use XC_IpDrv.XC_TcpNetDriver as the server's net driver.
Note: XC_ConnectionHandler actor is automatically spawned by XC_Engine, it'll manually
close dataless connections to accelerate the server's recovery and keep it able to take
incoming connections from new players.


*** Memory being slowly eaten up until garbage collection.
When a server creates an object, this object is created with a unique name.
These names are then mapped on a fixed-size name hash.
When one object is destroyed, it's name will not be used again but it cannot be deleted
due to it possibly being used somewhere else in code/level.
When the name table becomes overburdened, the operation of removing names from it during garbage
collection becomes a ridiculously slow task that may render a server unusable for minutes.
PATCHED:
- Actor name recycling during gameplay.
- XC_IpDrv name recycling for connections.
- Channel names related to their table index in new relevancy. (only server) (0 to 1023)


*** PreLogin bypass / fake player exploit.
It is possible to bypass the server's PreLogin function, potentially making the password
protection useless and making it vulnerable to fake player flooding.
PATCHED:
- JOIN command requires LOGIN first, valid player name and class must be supplied by
the client in order to allow joining.


*** Control channel spam.
It is possible to make the server spam the log by sending text commands using the control
channel.
PATCHED:
- Unrecognized commands no longer logged.
- Pre-Join commands have no effect if the player is already in game.
- Post-Join commands have no effect if the player hasn't joined.


*** Mutate command spam.
If the server is running badly coded mutators, it is possible to lag/crash the server by
spamming mutate commands.
PATCHED:
- Replaced PlayerPawn.Mutate with XC_Engine_PlayerPawn.Mutate
Players can only possible to send up to 2 commands per second.
Only players logged in as administrator can fully spam mutate.


*** ShowInventory command spam
It is possible to make the server write huge log files by constantly spamming
ShowInventory command.
PATCHED:
- Replaced PlayerPawn.ShowInventory with XC_Engine_PlayerPawn.ShowInventory
Only players logged in as administrator can use the command.


*** Speedhack turbo-charge fix.
Players can intentionally slow down their clients in order to confuse the server into
thinking they are several seconds behind in time, then burst all of that acquired time
by temporarily increasing the client speed.
PATCHED:
- Replaced PlayerPawn.ServerMove with XC_Engine_PlayerPawn.ServerMove
No more than 0.5 second of negative time difference can be accumulated.



