Skip to main content

Buffer Overflow Attack

The Attack

This attack is very common in a lot of frameworks and coding languages and requires a very low-level understanding.

In Nodejs there was a bug in the Buffer core library that was reported in 2016 by Feross Aboukhadijeh (feross) and was fixed in Nodejs already.

If an attacker can make your program call the Buffer constructor with a Number argument, then they can make it allocate uninitialized memory from the node.js process. This could potentially disclose TLS private keys, user data, or database passwords. by Feross Aboukhadijeh in Nodejs Github

For compatibility reasons, the old API is still available. The Nodejs team added a warning message in case you use it or if it was introduced by any of your dependencies.

(node:7147) [DEP0005] DeprecationWarning:
The Buffer() and new Buffer() constructors are not recommended
for use due to security and usability concerns. Please use
the new Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from()
construction methods instead.

at showFlaggedDeprecation (buffer.js:127:13)
at new Buffer (buffer.js:148:3)
at Object.<anonymous> (/path/to/example.js:2:13)
[... more stack trace lines ...]

The solution

Avoid the old Buffer API:

// [DEPRECATED] new Buffer(number)
Buffer.alloc(number)
// [DEPRECATED] new Buffer(string)
.Buffer.from(string)

// [DEPRECATED] new Buffer(string, encoding))
Buffer.from(string, encoding)

// [DEPRECATED] new Buffer(...arguments)
Buffer.from(...arguments)

In case you need to keep the legacy Buffer code running, please use safe-buffer as a fast mitigation option.

Refs