Buffer Overflow Attack

Written by Ulises Gascón

Apr 08, 20202 min read

The Attack

This attack is very common in a lot of frameworks and coding languages and requires a very low-level understanding.

In Nodejs there was a bug in the Buffer core library that was reported in 2016 by Feross Aboukhadijeh (feross) and was fixed in Nodejs already.

If an attacker can make your program call the Buffer constructor with a Number argument, then they can make it allocate uninitialized memory from the node.js process. This could potentially disclose TLS private keys, user data, or database passwords. by Feross Aboukhadijeh in Nodejs Github

For compatibility reasons, the old API is still available. The Nodejs team added a warning message in case you use it or if it was introduced by any of your dependencies.

(node:7147) [DEP0005] DeprecationWarning: 
    The Buffer() and new Buffer() constructors are not recommended 
    for use due to security and usability concerns. Please use 
    the new Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() 
    construction methods instead.
    at showFlaggedDeprecation (buffer.js:127:13)
    at new Buffer (buffer.js:148:3)
    at Object.<anonymous> (/path/to/example.js:2:13)
    [... more stack trace lines ...]

The solution

Avoid the old Buffer API:

// [DEPRECATED] new Buffer(number) 
// [DEPRECATED]  new Buffer(string) 
// [DEPRECATED]  new Buffer(string, encoding))
Buffer.from(string, encoding)
// [DEPRECATED] new Buffer(...arguments) 

In case you need to keep the legacy Buffer code running, please use safe-buffer as a fast mitigation option.