Luigi Auriemma

Yea I have tested it on about 3 or 4 public, ranked, online servers running the latest version. And they are dedicated (bf2_dedicated 1).

It seems that after a crash, the server comes back online and isn't vulnerable for some period of time. Then a while later (maybe a few hours) the vulnerability works again. Strange.

uhmmm really really strange and also interesting at the same time because means that the bug has not been fixed completely.
are you 100% sure that these servers weren't reachable only by your ip?
maybe they automatically banned your IP and so for you the server was down while for the other people it was all ok

I tested this on real servers, with real players on them, running 1.5.3153-802.0, dedicated, ranked, etc. All my tests were successful, but a server only seem to be crashable every hour or so. After a server was crashed and it comes back online, it isn't crashable for a while. Below is what the PoC shows for me.

What I see when I successfully crash a server:
Here is what I see after I recently crashed the server:

^... and re-running the PoC shows the same message for some time until it's "crashable" again (1 hour?). Not sure what is happening between this time, but the latest version of BF2 is definitely crashable. Don't know about the other games.

interesting, maybe it could be something like the NULL pointer I saw after the fixing of the loop bug?
because when you fix the loop one there is a NULL pointer, that's why in my patch I refer to 2 problems.
it could be an hypothesis...

have you verified if they were linux or windows servers or the problem happened immediately or in some circumstances (players, no players, pb, non-dedicated, dedicated and so on)?

in the meantime I have released a reference advisory for tracking the vulnerability:
http://aluigi.org/adv/bf2loop-adv.txt

I have been successful on both Linux and Windows servers.
I have been successful on both PB enabled and disabled servers.
All servers were dedicated (I can't find any that are not dedicated).

Though it doesn't make sense why it wouldn't be vulnerable for a short while after it crashes, and then all of a sudden become vulnerable again. All servers behave this way that I have tested. It must be in the way they tried to fix it.

I know this thread is quite old, and this bug is probably not much of interest anymore, but it seems there has to be a certain player count for bf2loop to work on a BF2 server with the current version.

I started to look in to this again recently and tried it on a public server. There were 28 players in there. I ran the tool, ran it again, again, again... it kept failing.. 4 or 5 times. I ran it once more, and it crashed the server. Nothing was changed! I looked at the command line history, and noticed the player count had gone up 1 player to 29. So my player (I would guess #30) was able to crash the server.

So it's probably a certain player count and/or being an "even" player that makes this bug still work. I couldn't say for sure, but I found my recent test interesting.

that's a very interesting information, thanx

Happy to help! Do you still work with BF2 at all? Any plans to look in to this and make a POC and/or patch?

uhmmm I guess I will not return on this, anyway let me know if this thing of relaunching the PoC 5 or more times really work with more servers and maybe I can "automatize" it.

maybe make a file.bat with the command in sequence.

Yea it's really random. I started documenting my player's slot number + how many times I ran the bat script to finally get it to crash for various servers:

64th
28th
16th (2 tries to crash)
18th (2 tries to crash)
22nd
56th
25th
64th

I am starting to think that none of this really matters because I started picking random servers I've never tested before, and on some it took 2-3 tries. It's really hard to pinpoint what the common factor is. The only thing I can see is the amount of time a server has been up.

Ok so I started up a local server and did some testing. I ran bf2loop in a loop from another pc on the local network, continuously attempting to crash my server. It never did, after hundreds of attempts. As soon as I joined with a player and the round "officially" started, the server crashed the exact same way the others do (right after you see "received: 0f 26").

I started the server again, joined with a player to make it "officially" start, and to make the tickets to start counting down. I left the server open for a few minutes and ran the tool once, and it crashed.

So in the end: the only requirement seems to be that the round has started and the tickets are counting down. You may have to run the tool a few times, but it will eventually crash so long as the round has started. And my crash (at least on a Windows machine) seemed to generate no errors or logs... the server simply closed itself. Hopefully this might give you something to go off of to make a POC & patch :)! BF2 is still a really popular game, so it would be worthwhile.

This also confirms the "player count" theory --> after a server crashes, there is a certain player count requirement before the round officially starts. This is determined by the server. Once this is met and the round starts, the server is crashable.

confirmed, it's a NULL pointer:
uhmmm being a null pointer a patch would be possible, I will think about it

released the advisory and updated the proof-of-concept:
http://aluigi.org/adv/bf2null-adv.txt

from my test the problem happens when a real player leaves the server so the step-by-step in the "The Code" section of the advisory should work ever.

Ive tried this on my 1.0.2442.0(1.0) BF2 server and the times the server crashes seems to be random and on 1.0.
Ive created a .bat file which runs bf2loop 3 times, and the server usually crashes the second time, but sometimes 1st time or 3rd time(and rarely not at all).

It doesnt seem to matter(atleast not 1.0) if anyone have joined the server before you execute bf2loop, on 1.0 it can crash on PreGame, Playing, EndGame or Paused.(From my tests atleast)
(Im on 1.0 because thats where my clan's servers are)

BF2AHD fixes this bug (bf2ahd.com), as well as many other common BF2 problems.