Share
## https://sploitus.com/exploit?id=83BDFE54-25FA-5524-8BFC-77426E10F88A
# RADIUS / FreeRADIUS Security Analysis & PoC
Systematic security analysis of RADIUS protocol (RFC 2865/2868) attribute handling, with end-to-end proof-of-concept exploits validated against FreeRADIUS.
## Overview
This repository contains 12 security analysis cases targeting RADIUS protocol attributes in `Access-Request` and `CoA-Request` packets. Each case includes a detailed threat model, attack procedure, and a representative attack message, along with automated PoC scripts that validate the attack end-to-end.
**Core finding:** RFC 2865 provides **no integrity protection** for attributes in `Access-Request` packets. The Request Authenticator is a random nonce (not a MAC), allowing any on-path attacker to freely modify, add, or remove attributes without detection at the RADIUS protocol level.
## Test Environment
| Component | Detail |
|-----------|--------|
| RADIUS Server | FreeRADIUS (latest, Docker) |
| Attack Framework | Python 3.11 (raw socket, no external RADIUS libs) |
| Architecture | NAS Simulator β MITM Proxy β FreeRADIUS β MITM Proxy β NAS |
| Network | Docker bridge `172.20.0.0/24` |
## Results Summary
### End-to-End Attack Results (NAS β MITM β Server β MITM β NAS)
| # | Attribute | Attack Type | E2E Result | NAS Auth Check | Notes |
|---|-----------|-------------|------------|----------------|-------|
| 1 | Proxy-State (Type 33) | Blast-RADIUS MD5 collision | β
Mitigated | Auth β (rejected) | **CVE-2024-3596** β FreeRADIUS 3.2.3+ rejects Proxy-State without Message-Authenticator |
| 2 | Called-Station-Id (Type 30) | MITM service-level escalation | β
Attack Success | Auth β | LOW-SERVICE β HIGH-SERVICE, different authorization |
| 3 | NAS-IPv6-Address (Type 95) | MITM NAS identity spoofing | β
Attack Success | Auth β | Attribute tampered undetected, auth still passes |
| 4 | EAP-Message (Type 79) | Rogue NAS without Message-Authenticator | β
Mitigated | Auth β (rejected) | Modern FreeRADIUS enforces MA for EAP (RFC 3579) |
| 5 | Framed-Protocol (Type 7) | MITM SLIPβPPP privilege escalation | β
Attack Success | Auth β | guest-restricted β corp-full-access |
| 6 | CHAP-Password (Type 3) | Passive sniff + offline dictionary crack | β
Attack Success | Auth β | Password recovered: `weakpass123` |
| 7 | NAS-Port-Type (Type 61) | MITM WirelessβEthernet VLAN escalation | β
Attack Success | Auth β | VLAN 999 (guest) β VLAN 10 (internal) |
| 8 | Tunnel-Type (Type 64) | MITM L2TPβPPTP tunnel downgrade | β
Attack Success | Auth β | Secure tunnel downgraded to weak PPTP |
| 9 | Tunnel-Private-Group-Id (Type 81) | MITM VPN group hijacking | β
Attack Success | Auth β | guest-vpn β corp-vpn |
| 10 | CoA + Tunnel-Private-Group-Id | CoA-Request injection | β οΈ Construct Only | N/A | CoA port (3799) not enabled by default |
| 11 | Vendor-Specific (Type 26) | MITM VSA policy injection | β
Attack Success | Auth β | Injected `role=admin` VSA accepted |
| 12 | Tunnel-Server-Endpoint (Type 67) | MITM tunnel redirection | β
Attack Success | Auth β | Tunnel endpoint redirected to attacker |
**Key:** "Auth β" means the NAS successfully validated the Response Authenticator using the shared secret β the NAS has no way to know the request was tampered with.
### Classification
All 12 cases are classified as **ATTACK**:
- **8 full end-to-end attacks** (#2, 3, 5, 7, 8, 9, 11, 12): MITM tampers attribute β server returns different authorization β NAS validates Response Authenticator β β NAS applies attacker-chosen policy
- **1 passive attack** (#6): Offline CHAP password cracking from sniffed packets
- **1 known CVE, mitigated** (#1): CVE-2024-3596 (Blast-RADIUS), patched in FreeRADIUS 3.2.3+
- **1 mitigated by default** (#4): RFC 3579 Message-Authenticator enforcement
- **1 construction-verified** (#10): CoA packet construction correct, port not exposed
## Relationship to Known CVEs
| CVE | Attribute | Status in This Repo |
|-----|-----------|-------------------|
| CVE-2024-3596 | Proxy-State | PoC #1 β verified mitigation in modern FreeRADIUS |
| (none) | All others | Protocol-level design limitations of RFC 2865, not implementation bugs |
> **Note:** The remaining 11 cases exploit the **same root cause** β lack of integrity protection on Access-Request attributes in RFC 2865. This is a known protocol design limitation, not an implementation vulnerability. The recommended mitigation is Message-Authenticator (RFC 2869) or RadSec/RADIUS-over-TLS (RFC 6614).
## Attack Assumption Strength
| Strength | PoCs | Rationale |
|----------|------|-----------|
| **Weak (realistic)** | #6 CHAP | Passive sniffing only, no MITM needed |
| **Moderate** | #1, #2, #7, #9, #11 | On-path + common deployment patterns |
| **Strong (theoretical)** | #3, #5, #8, #10, #12 | Requires specific server policy configurations |
| **Mitigated** | #1, #4 | Modern FreeRADIUS defaults prevent these |
## Repository Structure
```
βββ README.md
βββ results/ # Detailed threat models & attack procedures
β βββ Access_Request_Proxy_State_response.txt
β βββ Access_Request_Called_Station_Id_response.txt
β βββ Access_Request_NAS_IPv6_Address_response.txt
β βββ Access_Request_EAP_Message_response.txt
β βββ Access_Request_Framed_Protocol_response.txt
β βββ Access_Request_CHAP_Password_response.txt
β βββ Access_Request_NAS_Port_Type_response.txt
β βββ Access_Request_Tunnel_Type_response.txt
β βββ Access_Request_Tunnel_Private_Group_Id_response.txt
β βββ Access_Request_Tunnel_Server_Endpoint_response.txt
β βββ CoA_Request_Tunnel_Private_Group_Id_response.txt
β βββ CoA_Request_Vendor_Specific_response.txt
βββ poc/
β βββ docker-compose.yml # 3-container test environment
β βββ scripts/
β β βββ radius_utils.py # RADIUS packet construction library
β β βββ mitm_proxy.py # Generic MITM proxy with rule engine
β β βββ e2e_framework.py # NAS simulator + E2E test framework
β β βββ e2e_all_pocs.py # All 12 PoCs end-to-end
β β βββ b_results_verify.py # Quick verification (direct send)
β βββ config/
β βββ Dockerfile.freeradius
β βββ Dockerfile.attacker
β βββ clients.conf
β βββ authorize # User/device policies
β βββ sites-default # Attribute-based authorization rules
βββ docs/
```
## Quick Start
```bash
# 1. Build and start the test environment
cd poc/
docker compose up -d --build
# 2. Wait for FreeRADIUS to be ready
docker compose logs freeradius | tail -3
# Should show: "Ready to process requests"
# 3. Run all 12 PoCs end-to-end
docker compose exec attacker python /scripts/e2e_all_pocs.py
# 4. Or run quick verification (direct packet send)
docker compose exec attacker python /scripts/b_results_verify.py
```
## Mitigations
| Mitigation | Protects Against | Deployment Effort |
|------------|-----------------|-------------------|
| **Message-Authenticator** (RFC 2869) | MITM attribute tampering on Access-Request | Low β enable on NAS and server |
| **RadSec / RADIUS-over-TLS** (RFC 6614) | All on-path attacks | Medium β requires TLS infrastructure |
| **Strong passwords + EAP-TLS** | CHAP offline cracking | Medium β requires PKI |
| **Server-side policy hardening** | Attribute hint abuse | Low β don't trust request hints for authorization |
| **Upgrade FreeRADIUS β₯ 3.2.3** | CVE-2024-3596 (Blast-RADIUS) | Low |
## References
- [RFC 2865 β Remote Authentication Dial In User Service (RADIUS)](https://datatracker.ietf.org/doc/html/rfc2865)
- [RFC 2868 β RADIUS Attributes for Tunnel Protocol Support](https://datatracker.ietf.org/doc/html/rfc2868)
- [RFC 3579 β RADIUS Support for EAP](https://datatracker.ietf.org/doc/html/rfc3579)
- [CVE-2024-3596 β Blast-RADIUS](https://www.blastradius.fail/)
- [RFC 6614 β Transport Layer Security (TLS) Encryption for RADIUS](https://datatracker.ietf.org/doc/html/rfc6614)
## Disclaimer
This repository is for **educational and authorized security research purposes only**. The PoC scripts are designed to run in an isolated Docker environment. Do not use these tools against systems you do not own or have explicit authorization to test.