AIS-catcher Integer Underflow Vulnerability in MQTT Parsing Logic Leading to Heap Buffer Overflow

A critical integer underflow vulnerability has been identified in the MQTT parsing logic of AIS-catcher, a multi-platform AIS receiver. This vulnerability, present in versions prior to 0.64, allows an attacker to send a malformed MQTT packet with a manipulated Topic Length field, triggering a massive heap buffer overflow. The resulting memory corruption can be exploited for remote code execution, while also causing an immediate denial-of-service condition. The vulnerability arises from a lack of validation in the packet parsing process, where an excessively large Topic Length can be used to create a negative payload size, leading to a buffer overflow when the negative value is interpreted as a large positive integer.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to memory corruption that can be leveraged for remote code execution. Additionally, the vulnerability causes a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by using AIS-catcher as a library and sending a crafted MQTT PUBLISH packet with an oversized Topic Length. This can be done by creating a mock protocol that feeds the malicious packet into the MQTT parsing function, which will then process the packet without proper length validation, causing the buffer overflow.

Remediation

Users should update to AIS-catcher version 0.64 or later, where this vulnerability has been patched.