Researchers discovered a security flaw that might have allowed attackers to use the VirusTotal platform as a conduit to gain remote code execution (RCE) on unpatched third-party sandboxing computers that used antivirus engines.
The now-patched issue allowed Cysource researchers Shai Alfasi and Marlon Fabiano da Silva to "perform commands remotely within [via] VirusTotal platform and obtain access to its numerous scans capabilities," according to a report exclusively shared with The Hacker News.
VirusTotal, a security subsidiary of Google, is a malware-scanning service that analyses suspicious files and URLs and scans them for infections using more than 70 third-party antivirus programmes.
The attack method involved uploading a DjVu file through the platform's web interface, which when passed to multiple third-party malware scanning engines could trigger an exploit for a high-severity remote code execution flaw in ExifTool, an open-source utility used to read and edit EXIF metadata information in image and PDF files.
Image Courtesy: TheHackerNews
The high-severity
vulnerability in question,
CVE-2021-22204 (CVSS score: 7.8), is a case of arbitrary code execution caused by ExifTool's mistreatment of DjVu files. The problem was fixed by the issue's maintainers in a
security update released on April 13, 2021.
The researchers stated that such an attack offered a reverse shell to impacted devices linked to some antivirus engines that had not yet been patched for the remote code execution vulnerability.
Image Courtesy: TheHackerNews
The vulnerability does not affect VirusTotal, and in a statement shared with The Hacker News, its founder, Bernardo Quintero, confirmed that it is the intended behaviour and that the code executions occur not in the platform itself, but in the third-party scanning systems that analyse and execute the samples. The company also stated that it is utilising an ExifTool version that is not vulnerable to the issue.
Cysource stated that it responsibly disclosed the bug on April 30, 2021, via Google's Vulnerability Reward Programs (
VRP), and that the security flaw was quickly fixed.
This is not the first time the ExifTool bug has been used as a means of achieving remote code execution. GitLab patched a major hole (
CVE-2021-22205, CVSS score: 10.0) linked to inappropriate validation of user-supplied pictures, which could lead to arbitrary code execution last year.
Update: The story has been updated to reflect VirusTotal's clarification on the nature of the exploitation.
Please do not enter any spam link in the comment box.