NanoMQ MQTT Broker Heap Buffer Overflow Vulnerability in REST API URI Parameter Parsing

A heap buffer overflow vulnerability has been identified in NanoMQ MQTT Broker versions prior to 0.24.11. The issue arises in the 'uri_param_parse' function of the REST API, where an off-by-one error in memory allocation for query parameter keys and values allows an attacker to write a null byte beyond the allocated buffer. This vulnerability can be exploited by sending a crafted HTTP request, leading to potential heap corruption.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can corrupt memory and potentially lead to a crash or allow for remote code execution, depending on the heap layout.

Reproduction

The vulnerability can be reproduced by sending an authenticated HTTP GET request to the '/api/v4/get_file' endpoint with an unencoded 'path' query parameter. This can be done using a Python script that includes the necessary authorization headers. The request will cause NanoMQ to crash, as indicated by AddressSanitizer output showing a heap-buffer-overflow error.

Remediation

Users can upgrade to NanoMQ version 0.24.11 or later, where this vulnerability has been patched.