Buffer Overflow via Crafted Ipv6 Prefix Attribute Type Client Request in accel-ppp v1.12

Vulnerability

The rad_packet_recv function in radius/packet.c of accel-ppp contains a memcpy buffer overflow when processing RADIUS packets. The code uses a fixed-size receive buffer but calls recvfrom without properly limiting the received data, resulting in an overly-large copy that overwrites arbitrary memory. This is triggered when a RADIUS packet contains invalid attribute lengths or specific attribute types (ipv4addr, ipv6addr, ipv6prefix, or ifid). All versions prior to the patched version (unreleased at the time) are affected [1].

Exploitation

An attacker needs network access to bind a malicious RADIUS client and send crafted RADIUS packets to the vulnerable accel-ppp server. No authentication is required. The attacker must craft a RADIUS packet with an attribute from the list (ipv4addr, ipv6addr, ipv6prefix, or ifid) that has an invalid length field, causing memcpy to copy attacker-controlled data beyond the destination buffer's boundaries [1].

Impact

Successful exploitation overwrites arbitrary memory, potentially leading to remote code execution (RCE) or denial of service on the accel-ppp server. The attacker gains the privileges of the RADIUS server process, which typically runs as root or a privileged user, enabling full compromise of the host if RCE is achieved [1].

Mitigation

The fix was proposed in pull request #35 on the accel-ppp GitHub repository [1]. Users should apply the patch or update to a version that includes it (if released). At the time of publication, no official release containing the fix is available; the project maintainers should integrate the patch and release a new version. As a workaround, restrict network access to trusted RADIUS clients only using firewalls or network segmentation. The vulnerability is not listed on the CISA KEV as of 2024 [1].