NanoMQ MQTT Broker Heap Memory Corruption Vulnerability Leading to Denial-of-Service

A heap memory corruption vulnerability has been identified in NanoMQ MQTT Broker version 0.24.6. This issue arises from a combination of high-frequency publish messages, rapid reconnections using the same ClientID, and significant subscribe/unsubscribe jitter. Exploiting this vulnerability causes the Broker process to crash immediately with a SIGABRT signal, due to an invalid pointer being freed. As of now, no patched versions are available.

Impact

Exploitation of this vulnerability causes the Broker process to crash unexpectedly. However, such heap memory corruption issues could lead to more severe consequences in certain environments.

Reproduction

The vulnerability can be reproduced by establishing an MQTT connection to the Broker and sending valid MQTT control packets, including SUBSCRIBE, UNSUBSCRIBE, CONNECT, and PUBLISH. The key to triggering the vulnerability is to create a traffic pattern that includes high-frequency publishes, rapid reconnects using the same ClientID, and substantial subscribe/unsubscribe jitter. Under typical conditions, this vulnerability can be reliably triggered within approximately three minutes, depending on the performance of the machine running the exploitation script.