Package: node-stringbuilder
Tested Version: 2.2.7
GitHub Repository: https://github.com/magiclen/node-stringbuilder
Vulnerability: Out-of-bounds Read
Due to incorrect memory length calculation, by calling ToBuffer
, ToString
, or CharAt
on a StringBuilder
object with a non-empty string value input, it's possible to return previously allocated memory, for example, by providing negative indexes.
Vulnerable code (napi_create_string_utf16
):
ToBuffer
: https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c#L1281ToString
: https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c#L1324CharAt
: https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c#L1819
Similar issue:
Tested on:
Ubuntu 22.04.3 LTS
Node v18.19.0
Installation:
sudo apt-get install build-essential
npm i node-stringbuilder
chmod +x ./run.sh
Usage
./run.sh <poc1|poc2|poc3> <max_interations>
NOTE: It could happen that to see the previously allocated memory data printed, the ./run.sh
has to be executed multiple times. If you don't see any random bytes printed, run the ./run.sh
again.
- poc1
./run.sh poc1 50
Output:
...
Running poc1
[+] toString
AA<random-data>
Status code is -1. Exiting the loop.
- poc2
./run.sh poc2 50
Output:
...
Running poc2
[+] toBuffer
AA<random-data>
Status code is -1. Exiting the loop.
- poc2
./run.sh poc3 10
Output:
...
Running poc3
[+] charAt
<random-byte>
Status code is -1. Exiting the loop.
Information Disclosure
Alessio Della Libera