#######################################################################

                             Luigi Auriemma

Applications: Armed Assault and Armed Assault II (Real Virtuality engine)
              http://www.armedassault.com
              http://www.arma2.com
Versions:     ArmA   <= 1.14 (beta 1.16 is vulnerable too)
              ArmA 2 <= 1.04
              Operation Flashpoint: Cold War Crisis <= 1.46
              Operation Flashpoint: Resistance <= 1.96
              VBS1 <= 1.99
              VBS2 <= 1.3
Platforms:    Windows
              (exists also a Linux server for ArmA which is probably
              vulnerable too)
Bug:          resources consumption, NULL pointer or termination
Exploitation: remote, versus server
Date:         18 Jul 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Armed Assault (best known as ArmA) is a tactical military shooter
developed by Bohemia Interactive (http://www.bistudio.com).
ArmA 2 is the most recent game of the series and also the most played.
Real Virtuality is the name of the engine that moves these games and is
used also as simulator for the military forces.


#######################################################################

======
2) Bug
======


In my tests I found a weird behaviour of the server during the handling
of the last field of the join packet (looks like an id of the datafile)
when it's set to 0 or 1.
Practically if it's set to 1 usually the server terminates immediately
showing an error about not being able to allocate enough memory, while
if it's set to zero and at least 2 players use the same number happens
a resource consumption (CPU at 100% and memory in ArmA) or a NULL
pointer (in ArmA 2) or other similar effects.

No additional or deeper research has been performed.

If the server is protected by password the attacker must know the right
keyword.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/armazzo.zip


#######################################################################

======
4) Fix
======


No fix.

UPDATE:
ArmA2 1.07


#######################################################################