UTCOMP exploit that gives hackers access to your server

April 30, 2012

As some may have heard lately from Wormbo on UTZone and other forums, UTCOMP has an exploit which came from bad design which provides hackers to create Admin accounts for themselves and see all other Admin accounts, passwords and names. Even possible FTP access(Make sure you have different passwords for each).

How it works:
This exploit is possible due the voting system of UTCOMP, because UTCOMP allows any client to call the ServerTravel function from the engine and therefor can pass any options to the commandline such as AdminName=? and AdminPassword=? to give themselves admin rights.

The exploit is done by calling ServerTravel followed with the AdminPassword and AdminName option along with "Admin get CLASS VARIABLE" can give them access to WebAdmin and therefor all Admin passwords, which the hacker can use to erase his admin account.

How you can fix it:
Luckily there is a temporary fix for this, which is as easy as disabling UTCOMP VOTING on your server so that hackers cannot exploit those functions.

Notice: Even though disabling UTCOMP VOTING fixes this exploit, there are still several other little exploits within UTCOMP, if you really want to be 100% safe, then remove UTCOMP from your server, including the .u file.

You can read more about it on UnrealWiki.

If someone makes a code fix for this, then let people know about it on the forums of Epic Games.

UT2004 Exploit