Yahoo has exorcised itself of the troublesome ImageMagick image processing software after it learned of vulnerabilities in an outdated version of the open source tool it was running could be exploited to steal secrets from Yahoo servers.
Researcher Chris Evans, formerly of Google, privately disclosed the issue to Yahoo and earned a $14,000 bounty that he donated to charity (Yahoo matched Evans’ donation). Evans reported a new bug and demonstrated how he also used a previously known vulnerability in a separate proof-of-concept attack.
Evans said the vulnerabilities, which he calls Yahoobleed #1 and Yahoobleed #2, could allow an attacker to steal private Yahoo Mail images from the server, along with other authentication secrets.
“The bug allows attackers to download parts of Yahoo server memory, due to problems in image handling inside the ImageMagick library, which is used by Yahoo,” Evans told Threatpost. “Any real attack would involve the attacker repeatedly triggering this bug over a period of time, in order to thoroughly scan Yahoo server memory for interesting content, such as authentication secrets or images belonging to a range of other users.”
Evans praised Yahoo’s handling of the situation, responding well inside a self-imposed 90-day deadline by retiring ImageMagick.
Yahoobleed #1 involved a new vulnerability Evans found in ImageMagick, which has already been patched by the project. Unlike previous vulnerabilities, such as Heartbleed and Cloudbleed which also leaked secrets to attackers, this bug was the result of uninitialized memory, Evans said.
“An uninitialized image decode buffer is used as the basis for an image rendered back to the client. This leaks server side memory,” Evans wrote. “This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks.”
Evans’ exploit was 18 bytes long and sent as an attachment via Yahoo Mail. He explained that he sent the attachment to itself, and saw through the preview pane that the JPEG served to his browser was based on previously freed memory. He exploited an issue in the RLE image format, an obscure format formally known as the Utah Raster Toolkit Run Length Encoded.
“It’s a tricky vulnerability to spot because of the abstraction and also because this is a vulnerability caused by the absence of a necessary line of code, not the presence of a buggy line of code,” Evans said. He added that an attacker could create a RLE image with header flags that do not request canvas initialization followed by an empty list of RLE protocol commands.
“This will result in an uninitialized canvas being used as the result of the image decode,” Evans said.
While Yahoobleed #1 leaked other Yahoo users’ private images, Yahoobleed #2 could be used to steal memory content other than images from Yahoo thumbnailing servers. The problem is due to an two-and-a-half year old version of ImageMagick that could be abused in order to exfiltrate raw memory bytes. Evans demonstrated the results of his exploit in a blog post that show he was able to retrieve sensitive data.
“We found a leak that encoded only a small amount of data per JPEG compressed pixel returned to us, allowing us to reliably reconstruct original bytes of exfiltrated server memory,” Evans said. “The combination of running an ImageMagick that is both old and also unrestricted in the enabled decoders is dangerous. The fix of retiring ImageMagick should take care of both those issues.”
