Share
## https://sploitus.com/exploit?id=2A02B064-90D1-5600-ADF4-9C1FE9201CF4
# CVE-2026-35330

strongSwan EAP-SIM / EAP-AKA attribute parser pre-auth heap buffer
overflow via integer underflow.

## Description

`parse_attributes()` in `src/libsimaka/simaka_message.c:419` reads TLV
headers whose `length` byte counts 4-byte words. For the `AT_RAND` /
`AT_ENCR_DATA` branch:

```c
if (hdr->length * 4 > in.len || in.len type);
data = chunk_create(in.ptr + 4, hdr->length * 4 - 4);
```

When `hdr->length == 0`, `hdr->length * 4 - 4` underflows to
`(size_t)0xFFFFFFFFFFFFFFFC`. The subsequent `add_attribute()` calls
`malloc(sizeof(attr_t) + len)` and `memcpy(..., data.ptr, len)` with
that near-`SIZE_MAX` length โ€” ASan stops the OOB `memcpy` inside
`libsimaka.so` (`negative-size-param`).

The crash is reached from `simaka_message_create_from_payload(...)`
followed by `msg->parse(msg)`. No authentication is required; the
EAP-SIM/AKA dispatcher parses the payload before any peer credential
check.

Affected: strongSwan <= 5.9.13. Fixed in upstream master commit
`aa5aaebc33` (2026-04-21).

## Usage

```bash
gcc -fsanitize=address -g -O0 poc.c -lsimaka -lstrongswan -o poc
./poc
```

The PoC links against the installed `libsimaka.so` and
`libstrongswan.so` and calls the public API directly. Headers from
the strongSwan development package are required (`-I/usr/include` is
usually sufficient when `libstrongswan-dev` is installed).

## Requirements

- Target: strongSwan `libsimaka.so` <= 5.9.13 (built from upstream
  tarball; some distros backport fixes)
- Toolchain: `gcc` with AddressSanitizer support

## References

- https://github.com/strongswan/strongswan/commit/aa5aaebc33
- https://nvd.nist.gov/vuln/detail/CVE-2026-35330

## Legal Notice

This project is released under the GNU GPLv3.

It is provided for defensive security research, education, and authorized
testing. Do not use this code against systems or services without explicit
permission from the owner.

Unauthorized use may violate applicable law. The authors do not grant permission
to test third-party systems and are not responsible for misuse.

See the LICENSE file for warranty and liability terms.