node. js remote memory disclosure vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201670798
Type myhack58
Reporter 佚名
Modified 2016-01-08T00:00:00


Recently, in allows users to simply send a ping data frame to the allocated memory of the ws module found in the presence of the vulnerability. The vulnerability will reject a user request to send data, allowing users to send a ping data frame function failure, prior to that, it will also increase the data frame of the load.


In fact, this is the vulnerability of specific performance. But in the module, ws will typically we want to the incoming memory all data corresponding to the converted, this is where the vulnerability lies. We want to send the type of data didn't do any checks. When you are in a nide. js needs to be stored a number, the vulnerability will automatically give digital distribution A to store a large number of bytes of string space, thereby increasing memory load. var x = new Buffer(1 0 0); // vs var x = new Buffer('1 0 0'); For only 3 valid bytes of data, the system will assign 1 0 0 bytes of storage space. So when the server is going to accept a 1 0 0 0 bytes of ping data frame, the system will be in the original is not cleared the 1 0 0 bytes of space on the basis of the remaining space assigned to the 1 0 0 0 bytes of data frames to use, so it will cause data confusion, thereby forming a memory storage vulnerability. var ws = require('ws') var server = new ws. Server({ port: 9 0 0 0 }) var client = new ws('ws://localhost:9 0 0 0') client. on('open', function () { console. log('open') client. ping(5 0) // this makes the server return a non-zeroed buffer of 5 0 bytes client. on('pong', function (data) { console. log('got pong') console. log(data) // a non-zeroed out allocated buffer returned from the server }) })

There are two can slightly mitigate this vulnerability factors, they are: 1. Modern according to any one ofoperating systemthe kernel in the memory page is encapsulated into a process before, will be on the original memory page is cleared, so as to into the memory of the new data to provide cache space. This means that only previously used page in memory and the node process to release the data page of the data will be leaked. 2. node. js by in JavaScipt generated some of the largest internal buffer, and the large buffer is divided into many smaller you can use the cache block, to manage the storage space. Due to be affected by discarding the data of the impact of these cache blocks are not stored in the V8 engine. The advantage of this is that only those that had previously been allocated as a buffer area of the memory page of data will be leaked.