NanoMQ MQTT Broker Out-of-Bounds Read Vulnerability in Webhook Processing

A heap-buffer-overflow vulnerability has been identified in NanoMQ MQTT Broker versions prior to 0.24.10. The issue arises in the webhook_inproc.c file, specifically within the hook_work_cb() function. Here, the function processes nng messages by parsing the message body with cJSON_Parse. However, the body is sourced from nng_msg_body(msg), which is a binary buffer lacking a guaranteed null terminator. This flaw can lead to an out-of-bounds read, as cJSON_Parse continues reading until it encounters a null character, potentially accessing memory beyond the allocated buffer, such as nng_msg metadata or adjacent heap or stack memory. The vulnerability is often obscured by nng's allocation padding, which adds extra zeros for certain buffer sizes. The out-of-bounds read can be reliably triggered when the JSON payload length is a power of two and 1024 or greater, as no padding is applied in these cases.

Impact

Exploitation of this vulnerability causes a crash of the NanoMQ broker due to a segmentation fault, creating a denial-of-service condition. Additionally, the out-of-bounds read may access and leak sensitive information from adjacent memory, such as nng metadata or heap/stack data, through webhook logs.

Reproduction

To reproduce this vulnerability, first enable the webhook feature in the NanoMQ configuration file, setting the URL to a local server and the topic to one that will be published to. After compiling NanoMQ with AddressSanitizer enabled, start the broker with the modified configuration. Finally, send a PUBLISH message with a JSON payload that has a length of 1024 bytes or more, ensuring that the length is a power of two. The broker will crash, demonstrating the denial-of-service impact of the vulnerability.

Remediation

Users can upgrade to NanoMQ version 0.24.10 or later, where this vulnerability has been patched.