This vulnerability can be triggered by sending a specific sequence of the following packets:
CONNECT
SUBSCRIBE
UNSUBSCRIBE
We attach the ASan stack trace of the vulnerability as well as the hex-encoded bytes of the packets ("%x" is used as a hex prefix).
Steps to reproduce
Run the attached replay_mqtt_finding.py script against a Mosquitto 2.0.18 broker which has been instrumented with ASan (AddressSanitizer).
Do you know any mitigations of the issue?
No.
Credit request
If you assign a CVE, is it possible to register the requested CVE with our names and organization name? We are Roman Kraus, Steffen Lüdtke, Martin Schneider and Ramon Barakat of Fraunhofer FOKUS.
Hello, we wanted to inform you that we failed to produce this finding on the current 'develop' branch of Mosquitto. Nevertheless, a CVE might still be advised, as the most recent release (2.0.18) appears vulnerable to our finding. If you need further details or help from our side, please let us know.
Thank you very much for the report, and for #217 (closed) as well. Both issues are a manifestation of the same bug, and I have a fix for it. I believe it should have a CVE. @tiagolucas, could we please have one assigned?
Hello @rlight and @tiagolucas, we wanted to inform you that we consider registering the CVE by ourselves next week as the process appears to be stuck here. If we could support you in registering, please let us know. Otherwise, we would make concrete plans to register it ourselves.
Thanks! That is my understanding as well. We will need @rlight feedback to write down the CVE summary and fields (e.g. where are the commits that fix the vulnerability, and which release(s) contain it).
Of course, the requested credits will be given in the CVE report.
You are welcome! We wanted to inform you that we have also found a segmentation fault which we have not reported yet. I would finalize the report and upload it as soon as possible. Thus, you could consider its relation to the other findings.
And just to make sure: Is #216 (closed) also a manifestation of the same bug?