Package: node-twain
Tested Version: 0.0.16
GitHub Repository: https://github.com/luomusha/node-twain
Vulnerability: Buffer Overflow
Creating a new twain.TwainSDK
with a productName
(or productFamily
, manufacturer
, version.info
) property of length >= 34
chars leads to a buffer overflow vulnerability. The char *dest
in strcpy
has a length 34
, and the length of the source data is not checked.
- Data read from user input: https://github.com/Luomusha/node-twain/blob/3b592a1bc9bce3f80855608451e3c40b8387a007/src/TwainSDK.cpp#L12-L30
...
Napi::String versionInfo = version.Get("info").As<Napi::String>();
Napi::String productName = configure.Get("productName").As<Napi::String>();
Napi::String productFamily = configure.Get("productFamily").As<Napi::String>();
Napi::String manufacturer = configure.Get("manufacturer").As<Napi::String>();
...
TW_IDENTITY identity;
strcpy((char *) identity.Version.Info, versionInfo.Utf8Value().c_str());
strcpy((char *) identity.ProductName, productName.Utf8Value().c_str());
strcpy((char *) identity.ProductFamily, productFamily.Utf8Value().c_str());
strcpy((char *) identity.Manufacturer, manufacturer.Utf8Value().c_str());
...
- size of the different properties: https://github.com/Luomusha/node-twain/blob/3b592a1bc9bce3f80855608451e3c40b8387a007/src/twain/twain.h#L434-L456
typedef struct {
....
TW_STR32 Info;
} TW_VERSION, FAR * pTW_VERSION;
typedef struct {
...
TW_VERSION Version;
...
TW_STR32 Manufacturer;
TW_STR32 ProductFamily;
TW_STR32 ProductName;
} TW_IDENTITY, FAR * pTW_IDENTITY;
- definitions of
TW_STR32
: https://github.com/Luomusha/node-twain/blob/3b592a1bc9bce3f80855608451e3c40b8387a007/src/twain/twain.h#L217-L227
...
typedef char TW_STR32[34], FAR *pTW_STR32;
...
Tested on:
Ubuntu 22.04.3 LTS
Node v18.19.0
- install libraries and npm package
sudo apt-get install build-essential
npm i node-twain
Usage
node poc.js <poc1|poc2|poc3|poc4>
- poc1
node poc.js poc1
Running poc1
*** buffer overflow detected ***: terminated
Aborted (core dumped)
- poc2
node poc.js poc2
Running poc2
*** buffer overflow detected ***: terminated
Aborted (core dumped)
- poc3
node poc.js poc3
Running poc3
*** buffer overflow detected ***: terminated
Aborted (core dumped)
- poc4
node poc.js poc4
Running poc4
*** buffer overflow detected ***: terminated
Aborted (core dumped)
Buffer Overflow
Alessio Della Libera