#######################################################################

                             Luigi Auriemma

Applications: Armed Assault and Armed Assault II (Real Virtuality engine)
              http://www.armedassault.com
              http://www.arma2.com
Versions:     ArmA   <= 1.14 (beta 1.16 is vulnerable too)
              ArmA 2 <= 1.04
              Operation Flashpoint: Cold War Crisis <= 1.46
              Operation Flashpoint: Resistance <= 1.96
              VBS1 <= 1.99
              VBS2 <= 1.3
Platforms:    Windows
              (exists also a Linux server for ArmA which is probably
              vulnerable too)
Bug:          format string
Exploitation: remote, versus server
Date:         18 Jul 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Armed Assault (best known as ArmA) is a tactical military shooter
developed by Bohemia Interactive (http://www.bistudio.com).
ArmA 2 is the most recent game of the series and also the most played.
Real Virtuality is the name of the engine that moves these games and is
used also as simulator for the military forces.


#######################################################################

======
2) Bug
======


The packet used by the player to join the server is composed by various
fields like the usual nickname and (optional) password and a field
specific of this game series where is specified the datafile to use.

If the datafile specified by the player is not the correct one the
server builds a string like the following:

  "NICKNAME uses modified data file - DATAFILE"

then this string is passed to the logging function where it's used with
a snprintf limited to 511 bytes without the needed format argument
allowing an attacker to have direct control over it through the
nickname and datafile field.

If the server is protected by password the attacker must know the right
keyword.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/armazzofs.zip


#######################################################################

======
4) Fix
======


No fix.

UPDATE:
ArmA2 1.07


#######################################################################