A recent vulnerability found in the open-source ImageMagick library used by Yahoo! to process images could have allowed attackers to view image email attachments. After being reported by security researcher Chris Evans, Yahoo! retired the library and rewarded Evans a $14,000 bounty.
It’s not the first time the ImageMagick library had been found vulnerable: in 2016, a reported vulnerability (CVE-2016-3714) allowed attackers to upload maliciously crafted files to gain a remote shell into vulnerable web servers.
The new vulnerability involves using an 18-byte exploit file and attaching it to an email. Once the recipient (in this case the security researcher) opens it. he would open/view an image stored within the web server’s memory. Repeating the procedure would result in randomly opening up in-memory images.
“This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash,” according to Evans. “However, the leaked secrets will be limited to those present in freed heap chunks.”
The researcher’s proof-of-concept proves that, with as little as 18-bytes of code – practically a single line – attackers could not only grab images undetected, but also that memory-based attack techniques are more difficult to detect.
“The vulnerability exists in the obscure RLE (Utah Raster Toolkit Run Length Encoded) image format,” wrote the researcher. ”It’s a tricky vulnerability to spot because of the abstraction and also because this is a vulnerability caused by the absence of a necessary line of code, not the presence of a buggy line of code.”
When Evans declared the $14,000 bounty would go to charity, Yahoo! doubled it.