Yahoo has reportedly shelved its use of ImageMagick image processing software after a researcher discovered two vulnerabilities that could be exploited to pull user content in unauthorized fashion from the memory of Yahoo’s private servers.
Security researcher Chris Evans, who discovered the vulnerabilities, dubbed them Yahoobleed #1 and Yahoobleed #2, because they evoked memories of the Heartbleed and Cloudbleed bugs, which also could be leveraged to leak server content.
In a rare security “win” for Yahoo, which is still reeling from pair of damaging data breaches that affected hundreds of millions of accounts, the company earned the kudos of Evans for responding decisively to his vulnerability disclosures within the company’s self-imposed 90-day response time window. Calling Yahoo’s response “one of best I’ve seen,” Evans reported that the company paid him $14,000 for his work. Evans said he plans to donate the reward to charity, which he says Yahoo! has agreed to match.
On the other hand, one of the two vulnerabilities, Yahoobleed#2, involved an old flaw found in vulnerable versions of ImageMagick, which has had its own share of security difficulties following the discovery of multiple vulnerabilities, including the ImageTragick bug, which enables remote code execution. This means that Yahoo was likely not using the most secure up-to-date version of ImageMagick before it retired the software, Evans theorized in a May 19 blog post. SC Media has reached out to Yahoo! for comment.
The Yahoobleed #2 vulnerability, which affected Yahoo! thumbnailing servers, consisted of an over-two-year-old out-of-bounds error in ImageMagick’s SUN decoder. To test out this flaw, Evans wrote a 40-byte SUN exploit file that exfiltrated a JPEG compressed file, from which he was able to recover raw bytes of data. “This was fun. We found a leak that encoded only a small amount of data per JPEG compressed pixel returned to us, allowing us to reliably reconstruct original bytes of exfiltrated server memory,” wrote Evans his post.
The other vulnerability, Yahoobleed #1, involved a zero-day ImageMagick bug that Davis himself discovered, which specifically resides in the obscure RLE (Utah Raster Toolkit Run Length Encoded) image format. Unlike Heartbleed and Cloudbleed, which resulted from out-of-bounds reads in server-side code, Yahoobleed #1 was caused by an “uninitialized image decode buffer” that was “used as the basis for an image rendered back to the client,” Evans explained in a separate May 18 blog post. “This leaks server-side memory.”
To demonstrate the dangers of this vulnerability, Evans wrote a simple 18-byte exploit file, which he sent to himself as a Yahoo! Mail attachment. After clicking on the image in the received mail, he received back a JPEG image featuring unauthorized, freed memory content. One of these images even featured a person’s face.
“Seeing a random face was a shock and illustrated the severity of the leak. At that point, I ceased, desisted, destroyed all files based on uninitialized memory and reported the bug,” Evans wrote. The developers of ImageMagick responded by publishing a patch that Evans himself authored as a fix.
SC Media reached out to the developers of ImageMagick for comment.