Wednesday, July 8, 2015

Upgrade Node.js to Avoid DoS Attack

TL;DR

If your are running Node.js v0.11.0 to v0.12.5 then you need to upgrade to v0.12.6 ASAP.



That's typically what happens with buffer exploits.

The Exploit

A bug in the way the V8 engine decodes UTF strings has been discovered. This impacts Node at the Buffer to UTF8 String conversion and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of Buffer to UTF8 String conversion.

Buffers

Here's some background information on how buffers work in NodeJS.

Buffers are instances of the Buffer class in node, which is designed to handle raw binary data. Each buffer corresponds to some raw memory allocated outside V8. Buffers act somewhat like arrays of integers, but aren’t resizable and have a whole bunch of methods specifically for binary data. In addition, the “integers” in a buffer each represent a byte and so are limited to values from 0 to 255 (2^8 – 1), inclusive.

There are a few ways to create new buffers:


var buffer = new Buffer(8);


This buffer is uninitialized and contains 8 bytes.


var buffer = new Buffer([ 8, 6, 7, 5, 3, 0, 9]);


This initializes the buffer to the contents of this array. Keep in mind that the contents of the array are integers representing bytes.


var buffer = new Buffer("I'm a string!", "utf-8")

Writing to Buffers

Given that there is already a buffer created:


var buffer = new Buffer(16);


We can start writing strings to it:


buffer.write("Hello", "utf-8")


The first argument to buffer.write is the string to write to the buffer, and the second argument is the string encoding. It happens to default to utf-8 so this argument is extraneous.

buffer.write returned 5. This means that we wrote to five bytes of the buffer. The fact that the string “Hello” is also 5 characters long is coincidental, since each character just happened to be 8 bits apiece. This is useful if you want to complete the message:


buffer.write(" world!", 5, "utf-8")


When buffer.write has 3 arguments, the second argument indicates an offset, or the index of the buffer to start writing at.

Reading from Buffers

Probably the most common way to read buffers is to use the toString method, since many buffers contain text:


buffer.toString('utf-8')
'Hello world!u0000�kt'


Again, the first argument is the encoding. In this case, it can be seen that not the entire buffer was used! Luckily, because we know how many bytes we’ve written to the buffer, we can simply add more arguments to “stringify” the slice that’s actually interesting:


buffer.toString("utf-8", 0, 12)
'Hello world!'

Using Buffers in the Browser

The Buffer exploit mainly affects backend server running NodeJS (or old versions of IO.JS), but the use of Buffers is not limited to the backend.

You can work also with buffers in the Browser by using: https://github.com/toots/buffer-browserify.

However, its performance is poor, mainly due to Buffer design decisions.

Equivalent functionality, with better performance metrics, in the browser is provided by TypedArrays or https://github.com/chrisdickinson/bops.

bops

bops presents a JavaScript API for working with binary data that will work exactly the same in supported browsers and in node. due to the way that Buffer is implemented in node it is impossible to take code written against the Buffer API and make it work on top of binary data structures (Array Buffers and Typed Arrays) in the browser.

Instead, you have to fake the API on top of Object, but Object isn't designed for holding raw binary data and will be really slow/memory inefficient for many common binary use cases (parsing files, writing files, etc).

Upgrade NodeJS

If your target operating system is OSX, then you probably have 3 main packages to consider:
  • NodeJS
  • NPM
... and probably these as well:
  • Homebrew
  • NVM

If you're a Homebrew user and you installed node via Homebrew, there are issues with the way Homebrew and NPM work together stemming from the fact that both homebrew and npm are package management solutions.

If you're a Homebrew user and you installed node via Homebrew, there is a major philosophical issue with the way Homebrew and NPM work together.

There are many ways to install these packages.

Read this article for my suggested solution (that does not require you to use sudo permissions): Cleanly Install NVM, NodeJS and NPM.

References

http://lexsheehan.blogspot.com/2015/04/cleanly-install-nvm-node-and-npm.html
http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
http://blog.nodejs.org/vulnerability/
https://github.com/toots/buffer-browserify
https://github.com/chrisdickinson/bops
http://www.read.seas.harvard.edu/~kohler/class/05f-osp/notes/lec19.html
http://jsdevs.com/how-to-use-buffers-in-node-js/

This work is licensed under the Creative Commons Attribution 3.0 Unported License.

77 comments:

  1. Image is best to explain the buffer overflow. I easily understand the issue from the above image. Thanks to share the function of how buffers work. iOS Event Application

    ReplyDelete
    Replies
    1. Thanks for sharing the very nice blog post. It is the really very impressive blog post about the funny poker game. If you want to play the poker game and looking to develop the android and ios app for the poker games then you DM on sales@mobzway.com. Visit: Poker Game Development Company

      Delete
  2. Nice blog. Thanks for sharing such great information.Inwizards Inc is a Nodejs Development company offers quality Node.js development services best in software industries. Intrested click here - Hire Nodejs Developers

    ReplyDelete
  3. Nice blog. Thanks for sharing such great information. BRsoftech is a Nodejs Development company offers quality Node.js development services best in software industries

    ReplyDelete
  4. As a Node.JS development company, Augurs is offering an affordable Node.JS development service for web applications and web development across the world.

    ReplyDelete
  5. After seeing your article I want to say that the presentation is very good and also a well-written article with some very good information which is very useful for the readers....thanks for sharing it and do share more posts like this.
    Data Science course in Indira nagar
    Data Science course in marathahalli
    Data Science Interview questions and answers
    Data science training in tambaram
    Data Science course in btm layout
    Data science course in kalyan nagar
    Data science course in bangalore

    ReplyDelete
  6. Thanks For sharing Your information The Information Shared Is Very Valuable Please Keep updating Us Time Just Went On Redaing The Article Python Online Course Devops Online Course Data Science Online Course Aws Science Online Course

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Hey That was a great read, very informative, though native java debugging is not something I am good at i really liked this article, Check this out for a little more info.
    Angular JS

    ReplyDelete
  9. Great content but i like ReactJS better then nodeJS, there are many ReactJS Development Companies which develop great apps for their clients.

    ReplyDelete
  10. Hire nodejs developer team.They are well skilled and experienced more than 6 years.

    ReplyDelete
  11. Hey, that was a great read & very informative. I really like your post! good job. Fantasy sports app development | Healthcare Mobile App Development

    ReplyDelete
  12. And also thanks for sharing this informative. Keep it Sir and I am waiting for your next post on your site blog.

    Best Training Institute in Bangalore BTM. My Class Training Bangalore training center for certified course, learning on Software Training Course by expert faculties, also provides job placement for fresher, experience job seekers.
    Software Training Institute in Bangalore

    ReplyDelete
  13. Thanks for sharing this information. InnovationM is the best website design agency  and mobile app development company in London, UK. Top andoid app developers and iOS app developers, web designers in birmingham and Software development company in UK. Best  legal website design company in Birmingham, London, Luton, Derby, Sheffield, UK.

    ReplyDelete
  14. Best Android app development company in UK. Top Android application development company London - InnovationM
    InnovationM is the best android app development company in London, UK. Top android application development agency and most trusted Android app developers UK.

    android and ios app developer
    Android app development company in London
    android application development london
    android development company uk
    android app development uk
    android app development company london
    android app development company uk
    android application development uk
    android app developers uk
    android app development in uk
    android development for ios developers
    android app development london
    android application development uk
    android app developers uk
    android app development in uk

    For More: https://innovationm.co.uk/android_app_development_company_london

    ReplyDelete
  15. Best iOS App development company in London UK. Top iOS app developer UK - InnovationM
    InnovationM is the best iOS app development company in London, UK. Top iPhone application development agency and most trusted iOS app developers UK.

    ios app development london
    iphone app development london
    iphone app development company london
    iphone application development london
    iphone app developers london
    ios app development london
    iphone app development london
    iphone app development company london
    iphone application development london
    ios application development company
    ios mobile app development company
    ios mobile app development company
    ios trusted developer
    custom ios app development
    ios software developer
    top ios app development company
    ios developer website
    ios software development
    ios mobile developer
    best ios app development company

    For More: https://innovationm.co.uk/iOS_app_development_company_london

    ReplyDelete
  16. best website development agency in london (UK). Trusted Website developer in UK
    InnovationM provides the best website development services in united kingdom.Providing dynamic ecoomerce website solution. web design agency london
    website design london
    best web design companies london
    web design company london
    creative web design london
    web development london
    web agency london
    web development company london
    website designers london
    web development agency london
    website development london
    website developers in london
    web developers london
    web design services in london
    website design company london
    creative web design agency london
    web design studio london
    ecommerce web design london
    web design london agency
    website design services london
    web design development london
    website development company london
    top 10 web design companies in london
    best web design agency london
    london web design services
    top web design companies london
    best web development company in london
    website development agency london
    ecommerce website development For more:https://innovationm.co.uk/web_development_company_london

    ReplyDelete
  17. Best software development agency in UK.software development company in london,UK.

    InnovationM is Most Trusted Software Development Company.

    We are top Software developers in London, Luton, Birmingham, Derby, Sheffield (United Kingdom) software development company in london
    software app developer
    application development agency in uk
    android software development
    android app development software
    mobile app development software
    mobile application software
    application software developer
    software application development
    web designer software
    web application development software
    custom application development services
    mobile app development company in uk
    mobile app development company london
    best android app development software
    app designing software
    app development companies uk For more:https://innovationm.co.uk/software_development_company_london

    ReplyDelete
  18. InnovationM is the best web design agency in derby.

    InnovationM is the Award-Winning Web Design Agency of Derby, UK.

    We are Top Mobile App Development Company in Derby.web design company derby
    web design agency derby
    web design in derby
    website designers derby
    website design derby
    web design derby uk
    web development derby
    web developer derby For more:https://innovationm.co.uk/web_design_company_derby

    ReplyDelete
  19. InnovationM is the best web designers in birmingham, UK. We are top web developers birmingham and top website design company birmingham.

    We are one bespoke birmingham web design agency. We are best mobile app development and Android app development company in Birmingham in UK web designers in birmingham
    web development company birmingham
    magento agency birmingham
    app design company birmingham
    web development agency birmingham
    birmingham web development
    web developers birmingham
    website designers birmingham
    website design birmingham
    web design company birmingham
    birmingham web design agency
    web design birmingham uk
    ecommerce website design birmingham
    website design agency birmingham
    website builders birmingham
    freelance web designer birmingham
    ecommerce web design birmingham
    web agency birmingham
    website development birmingham
    website design company birmingham
    freelance web developer birmingham
    web hosting birmingham

    https://innovationm.co.uk/
    https://innovationm.co.uk/website_design_for_law_firms_in_birmingham_london
    https://innovationm.co.uk/software_development_company_london
    https://innovationm.co.uk/web_development_company_london
    https://innovationm.co.uk/iOS_app_development_company_london
    https://innovationm.co.uk/android_app_development_company_london
    https://innovationm.co.uk/web_design_company_derby

    ReplyDelete
  20. I finally found a great article here. I will stay here again. I just added your blog to my bookmarking sites. Thank you. Quality postings are essential to get visitors to visit the website, that's what this website offers.

    Data Analytics Course in Bangalore

    ReplyDelete
  21. Proit Melbourne is an excellent Best Web Design company Melbourne that offers web design, software development, mobile apps, and SEO services. We are among the leading Best Web development companies in Melbourne.

    ReplyDelete
  22. Whether you are a business looking for a mobile appor a student who wants to create a mobile and web application, expertise in programming is a must. Technology has made it easier to develop an app or a program. For example, using the code7, you can develop a web or mobile application with a few clicks. The code7 is a software that is created by a group of software programmers, who came together to make a software that would be an easy way to create any software application.

    ReplyDelete
  23. Thanks for sharing the fascinating blog here. Very helpful and innovative. I love this article waiting for the next one

    Digital Marketing Training In Telugu

    ReplyDelete
  24. I'm glad I found this blog! Occasionally, students want to know the keys to writing productive literary essays. Your first-class knowledge of this great job can become a suitable foundation for these people. Good

    Digital Marketing Training in Bangalore

    ReplyDelete
  25. MY SKILLS

    SEARCH ENGINE OPTIMISATION



    I can get you top rankings for high Search Volume & High competition Keywords.



    SEO is simple, if you can understand how Google algorithm works and what your user expects from your webiste. If you can develop web pages that can adress the users intent, seo becomes easy.



    With my experience in building Authority sites that can actually rank for high volume and money making keywords. I train people on SEO and share profit making websites case studies to students.

    ReplyDelete
  26. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
    data science training

    ReplyDelete
  27. Mobile apps have become an important part of every business. Mobile apps have been affecting business for quite a while and help in expanding scalability. Developing an astonishing-looking app with robust security and modern technology is a tough task. For this QuikieApps, the leading Mobile app development company has the best expertise in mobile app development. To develop the finest applications with attractive interfaces and smooth operations, you can count on us. QuikieApps is the top React Native app development company in the market. We have influenced various fields including travel, sports, eCommerce, enterprise, marketing, social media, gaming, etc. As a top Reactjs Development Services Companyprovider, QuikieApps design, and develop Web Apps and Mobile apps that get featured in the app store and win the marketplace. We build apps that get noticed. We excel in strategy, design, and development for iPhone & Android apps, and work for startups and enterprises as well.
    Web development company

    ReplyDelete
  28. Tosca Test is an agile software tool that is used for automation of test cases end to end that ensures comprehensive management of software applications.This tool is designed on Linear methodology,the aspects include test script design,test data design and generation,test automation strategy.All these concepts will help in continuous and rigorous testing of APIs and GUIs from a Business point of view.Model based test technique and Risk based test technique are the technologies that make it special from others.

    ReplyDelete
  29. Thanks for sharing wonderful Information. In this article I learn a lot. And if you want to know m about wedding or matrimonial services visit:- Truelymarry
    One of the best Indian matrimonial site in Kanpur TruelyMarry
    We provide services:-Kanpur , Manglik , Second Marriage

    ReplyDelete
  30. Very good message. I came across your blog and wanted to tell you that I really enjoyed reading your articles.

    Best Cyber Security Training Institute in Bangalore

    ReplyDelete
  31. Thanks For Sharing the way you presented is really amazing this helped me to gain lot of knowledge
    Best Software Training Institutes

    ReplyDelete
  32. I wanted to leave a little comment to support you and wish you the best of luck. We wish you the best of luck in all of your blogging endeavors.

    Digital Marketing Institute in Bangalore

    ReplyDelete
  33. With so many books and articles coming up to give gateway to make-money-online field and confusing reader even more on the actual way of earning money, ai course in delhi

    ReplyDelete
  34. I have checked this link this is really important for the people to get benefit from. best data science training institute in gurgaon

    ReplyDelete
  35. You have completed certain reliable points there. I did some research on the subject and found that almost everyone will agree with your blog.

    Best Ethical Hacking Institute in Bangalore

    ReplyDelete
  36. This is very fascinating, You are an excessively skilled blogger. I’ve joined your feed and sit up for seeking extra of your magnificent post. Additionally, I’ve shared your site in my social networks data science training institute in gurgaon

    ReplyDelete
  37. Magnificent beat ! I wish to apprentice while you amend your site, how could i subscribe for a blog web site? The account aided me a acceptable deal. I had been tiny bit acquainted of this your broadcast offered bright clear idea data science training institute in gurgaon

    ReplyDelete
  38. Excellent work done by you once again here. This is just the reason why I’ve always liked your work. You have amazing writing skills and you display them in every article. Keep it going! data science course in surat

    ReplyDelete
  39. This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck.
    data science course in malaysia

    ReplyDelete
  40. It's like you've got the point right, but forgot to include your readers. Maybe you should think about it from different angles.


    Business Analytics Course in Nashik

    ReplyDelete
  41. I will truly value the essayist's decision for picking this magnificent article fitting to my matter.Here is profound depiction about the article matter which helped me more.

    ReplyDelete
  42. 360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East

    ReplyDelete
  43. Гадание на цыганских картах - это простейший вариант спрогнозировать будущее с использованием всевозможных атрибутов и приемов. Перечень деяний, ориентированных на прогнозирование будущего, называют ворожба. Магические силы и всякие способы ворожения научно не установлены, тем не менее различные люди верят в это.

    ReplyDelete
  44. Wonderful article. It's very useful.
    It looks like you have put lot of work into this.
    SMARS designs jewelry to run along with your ever-changing wardrobe. A piece of Jewelry can either make or break your entire look; therefore, every unique outfit needs a different piece of jewelry to compliment it. But looking at the prices of traditional jewelry, we usually find occasions like festivals or ceremonies to buy it. And these adorable pieces spend most of their lives in the lockers. Komal, the founder of SMARS, understood this gap in the market. Every single piece is limited edition and walks hand-in-hand with trends. Adored by customers from all over the world, we ensure the quality delivery of our high-end, Indian fashion costume jewelry. Shop online for latest collection of Kundan, antique and temple jewelry in India check out necklace sets, earrings, bangles, chokers for girls and many more Indian jewelry sets for women available with free shipping across India.
    Take a look: Buy Traditional Fancy Chokers For Women Online

    ReplyDelete
  45. Thank you for bringing more information to this topic for me. I’m truly grateful and really impressed. Visit: Dhamaal Games

    ReplyDelete
  46. Much thanks for composing such an intriguing article on this point. This has truly made me think and I plan to peruse more business analytics course in surat

    ReplyDelete
  47. 360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East.

    ReplyDelete
  48. Amazing article. It's very useful.
    It looks like you have put lot of work into this.
    Promotedigitally is Best Digital Marketing company who promise
    to get Rank and Bank for your business. We Are a team of highly experienced ,
    creative digital marketers who have the most accurate and best search engine optimization and
    marketing.We are a digital performance-based eCommerce marketing agency in USA .
    We help DTC brands to grow their business by providing them with sales
    Take a look: Ecommercee Agency In Usa

    ReplyDelete
  49. Data Science handles structured and unstructured and data that is generated at an unprecedented rate every day. Anyone with a strong statistical background and an analytical mindset enjoys the challenges of big data that involves building data models and software platforms along with creating attractive visualizations and machine learning algorithms. Sign up for the Data Science courses in Bangalore with Placements and get access to resume building and mock interviews that will help you get placed with top brands in this field.

    Data Science in Bangalore

    ReplyDelete
  50. Learn the fundamentals of Data Science and master the skills to handle epic amounts of data collected by organizations today. Gain expertise in organizing, analyzing, and transforming data to uncover its hidden power. Drive your career forward with a Data Science course in Bangalore and learn to uncover insights to present critical findings using visualization tools. Not only this, avail the best-in-class content delivered by stellar faculty who use a blended approach of theory as well as practical knowledge to ensure all the concepts are crystal clear.

    Best Data Science Training institute in Bangalore

    ReplyDelete
  51. The increase in big data has led to a boom in the field of Data Science spiking ample career opportunities. Enroll in the Data Science training in Bangalore and invest in emerging skills and transform any business by wrangling, analyzing, and visualizing data. Give your career a makeover and gain in-depth knowledge on how to extract valuable insights from complex and large sets of data. Get to work on a live project which is designed to give hands-on experience to you along with career guidance and mentorship.
    Best Data Science Training institute in Bangalore

    ReplyDelete
  52. Companies are increasingly turning to data for decision-making and are depending on data professionals to do so. Develop strong logical and numerical aptitude and learn to work with R, Python, SQL, Hadoop, and statistical techniques like Linear Regression, Logistic Regression, etc. Sign up for the Data Scientist training in Bangalore, and gain expertise in using sophisticated analytical methods and statistical methods to prepare data for predictive and prescriptive modeling.

    Data Science Course in Bangalore with Placement

    ReplyDelete
  53. The new wave of innovation that is changing the way people do business is called data science. Gain expertise in organizing, sorting, and transforming data to uncover hidden patterns Learn the essential skills of probability, statistics, and machine learning along with the techniques to break your data into a simpler format to derive meaningful information. Enroll in Data science in Bangalore and give yourself a chance to power your career to greater heights.


    Data Science Course in Delhi


    Data Science Course in Delhi

    ReplyDelete
  54. Learn to use analytics tools and techniques to manage and analyze large sets of data from Data Science training institutes in Bangalore. Learn to take on business challenges and solve problems by uncovering valuable insights from data. Learn from the comprehensively designed curriculum by the industry experts and work on live projects to sharpen your skills.

    Data Science in Bangalore

    ReplyDelete
  55. Are you looking for a Data Science course that will aid you in your career growth. 360DigiTMG is the right place for you. Enroll now for a better tomorrow.Data Scientist Course in Delhi

    ReplyDelete
  56. I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful. Good day!
    Web Design
    Brisbane

    Web Development Brisbane

    ReplyDelete
  57. React JS Training in Hyderabad

    ReplyDelete
  58. Very much informative, thanks for sharing

    ReplyDelete
  59. Great job on this article! I'm intrigued with your thoughts on this subject as well as your writing skills. I like it when I can tell a writer has poured him/herself into an article. The leading digital marketing company derby is a dynamic force in the digital realm. With a deep understanding of the local market, they craft tailored strategies for businesses seeking online prominence. Their holistic approach encompasses SEO, PPC, social media management, content creation, and more. By leveraging data-driven insights, they ensure every marketing effort yields maximum impact.
    From elevating SEO rankings to creating engaging content and mastering social media platforms, their expertise is unmatched. Transparent reporting and accountability are their hallmarks, providing clients with clear visibility into campaign performance. Partner with them to unlock unparalleled success in the digital landscape.

    ReplyDelete