How would you like US$778 per byte for your exploit?
That's what security researcher Chris Evans just scored from Yahoo!, for an 18-byte demonstration of how private Yahoo! Mail images could leak.
Even though the bug's been patched, Yahoo! decided it was one bug too many in the library, and retired it.
Because (a) bugs get brands these days; and (b) “*bleed attacks are hot right now”, Evans called his trick “Yahoobleed #1” (YB1).
Evans turned up a zero-day, now patched, in the near-ubiquitous ImageMagick library. Here's how Evans describes it:
The previous *bleed vulnerabilities have typically been out-of-bounds reads, but this one is the use of uninitialized memory. An uninitialized image decode buffer is used as the basis for an image rendered back to the client. This leaks server side memory. This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks.
The fix is simple enough:
In the unpatched version, Evans was able to attach an 18-byte exploit file to a message, send it to himself, and launch the preview pane. “The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content.”
In the outside world, it's now over to Linux distributions and other downstream users of ImageMagick to patch. The related-but-separate GraphicsMagick patched the same bug last year.
Rather than keep the bounty, by the way, Evans donated it to a charity, and in recognition of this, Yahoo! doubled it. ®