Buffer Overflow Attack
Written by Ulises Gascón
Apr 08, 2020 — 2 min readThe Attack
This attack is very common in a lot of frameworks and coding languages and requires a very low-level understanding.
In Nodejs there was a bug in the Buffer
core library that was reported in 2016 by Feross Aboukhadijeh (feross) and was fixed in Nodejs already.
If an attacker can make your program call the Buffer constructor with a Number argument, then they can make it allocate uninitialized memory from the node.js process. This could potentially disclose TLS private keys, user data, or database passwords. by Feross Aboukhadijeh in Nodejs Github
For compatibility reasons, the old API is still available. The Nodejs team added a warning message in case you use it or if it was introduced by any of your dependencies.
(node:7147) [DEP0005] DeprecationWarning:
The Buffer() and new Buffer() constructors are not recommended
for use due to security and usability concerns. Please use
the new Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from()
construction methods instead.
at showFlaggedDeprecation (buffer.js:127:13)
at new Buffer (buffer.js:148:3)
at Object.<anonymous> (/path/to/example.js:2:13)
[... more stack trace lines ...]
The solution
Avoid the old Buffer API:
// [DEPRECATED] new Buffer(number)
Buffer.alloc(number).
// [DEPRECATED] new Buffer(string)
Buffer.from(string)
// [DEPRECATED] new Buffer(string, encoding))
Buffer.from(string, encoding)
// [DEPRECATED] new Buffer(...arguments)
Buffer.from(...arguments)
In case you need to keep the legacy Buffer code running, please use safe-buffer as a fast mitigation option.
Refs
- Nodejs | Porting to the Buffer.from()/Buffer.alloc() API
- Github | Buffer(number) is unsafe #4660
- Snyk | Exploiting Buffer
- Porting to the Buffer.from/Buffer.alloc API