Mosquitto: Segmentation fault on db__message_insert
Basic information
Project name: Eclipse Mosquitto
Project id: iot.mosquitto
What are the affected versions?
2.0.18
We have not checked previous versions.
However, the current develop branch of Mosquitto is also vulnerable to this attack.
Details of the issue
We have found a segmentation fault on Mosquitto 2.0.18 which occurs on src/database.c:581 (at function 'db__message_insert').
This vulnerability can be triggered by sending a specific sequence of the following packets:
CONNECT
PUBLISH
CONNECT
SUBSCRIBE
SUBSCRIBE
DISCONNECT
CONNECT
CONNECT
SUBSCRIBE
UNSUBSCRIBE
DISCONNECT
CONNECT
SUBSCRIBE
The order in which connections are closed seems to play a role. Particularly, it seems that the first connection has to be closed last.
We attach the Mosquitto output, the gbd backtrace and the hex-encoded bytes of the packets ("%x" is used as a hex prefix).
Steps to reproduce
Run the attached replay_mqtt_finding.py script against a Mosquitto 2.0.18 broker. It seems to be important that the broker is not instrumented with ASan (AddressSanitizer). Otherwise, we could not observe this error. We also want to mention that the reproduction can be flaky. Thus, you might need some attempts. However, the reproduction script we attach here was quite reliable for us.
Do you know any mitigations of the issue?
No.
Credit request
If you assign a CVE, is it possible to register the requested CVE with our names and organization name? We are Roman Kraus, Steffen Lüdtke, Martin Schneider and Ramon Barakat of Fraunhofer FOKUS.
Best regards,
Roman Kraus