I would like to report a buffer over-read in mqtt-packet respectively BufferList module.
It allows triggering an out of range read on a buffer which throws a RangeError. MQTT Brokers like mosca and aedes using this module can be forced to crash by sending a specifically malformed MQTT Subscribe packet.
module name: mqtt-packetversion:6.1.1npm page: https://www.npmjs.com/package/mqtt-packet
Encode and Decode MQTT 3.1.1, 5.0 packets the node way.
114,635 weekly downloads
From the original E-Mail to the Author:
Hey Matteo,
while playing around with mosca/aedes and our fuzzing approach from IoT-Testware, I discovered some flaws which cause mosca/aedes to crash. Though, I assume the reasons originate from the mqtt-packet respectively bl modules.
I didn’t open an issue because the issue is IMHO quite critical. One could try to abuse to crash mosca/aedes without requiring any credentials, thus might lead to easy DoS attacks.
The malformed Subscribe Packet crashes mosca (v2.8.3) and aedes (v0.37.0), no valid credentials required.
> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.
echo -ne '\x104\x00\x04MQTT\x04\xc2\x00\xff\x00\x19alicedoesnotneedaclientid\x00\x05alice\x00\x06secret\x82\x19\xa5\xa6\x00\x15hello/topic/of/alice\x00' | nc localhost 1883
Please find a GitHub patch attached.
> State all technical information about the stack where the vulnerability was found
v6.17.1
3.10.10
An attacker can harm the availability of MQTT services which are using these modules.