Pre-Connection Remote Execution
I have covered remote execution in the past. Everyone by now knows that any remote execution cheat is brutal to the security of game servers in Arma. The developers have made strides to block unlogged and unfiltered remote execution, and they have come a long way since Arma 3 Alpha. This post covers an exploit that has existed in the Real Virtuality engine since RV3, Arma 2.
If you haven’t read my last post, Breaking the SQF Firewall. You should do so now. Piggybacking on this last post, there is a vulnerability in how the game processes network messages prior to the Firewall killing sqf threads. Specifically, the publicVariable and setVariable network messages can be sent to the server prior to the firewall killing our existing sqf loops. I am going to cover the vulnerability first and finish up with a series of exploits I have created that use the vulnerability to take advantage of other aspects of the game.
Just as an introduction, here is an example of how the vulnerability operates. For all examples in this post, clicking the image will open the code in a new tab.
This script operates by using the onEachFrame command at the main menu. Using onEachFrame in this way will carry our code all the way into the server. Terminating at the SQF Firewall. The exploit exists within the if statement on Line 2. By defining a variable and then publishing it over the network, we can distribute data onto all machines loaded into the server, including the server itself. Lines 5 and 6 show the two commands we can use to distribute our data. Both work, however, I found that setVariable is often the command server owners leave the least protected.
From this example, we can see that the code for this exploit is both simple and extremely powerful. Being able to distribute any data to all machines opens a huge wave of possibilities.
Let’s take a look at some.