Now you C me, now you don't, part two: exploiting the in-between

This comprehensive exploration of vulnerabilities in Node.js packages, specifically focusing on the Foreign Function Interface (FFI) between memory-safe languages like JavaScript and memory-unsafe languages like C/C++, delves into the intricate process of exploit development. It examines two specific bugs found in Node.js bindings: one in node-sass, which is ultimately deemed a non-exploitable bug due to its limited potential for heap corruption, and another in the png-img package, where a more serious vulnerability is identified. The png-img vulnerability allows for a heap overflow, potentially leading to arbitrary command execution. This post meticulously details the steps and thought processes an attacker might undertake, from identifying the vulnerability's exploitability to crafting a proof-of-concept exploit that leverages the heap overflow to execute arbitrary commands. The series aims to provide insights into defensive programming by illustrating how vulnerabilities can be introduced through FFIs and the importance of memory safety, ultimately encouraging developers to adopt practices that mitigate such risks.