Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal

Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal

Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed by antivirus engines.

The flaw, now patched, made it possible to “execute commands remotely within [through] VirusTotal platform and gain access to its various scans capabilities,” Cysource researchers Shai Alfasi and Marlon Fabiano da Silva said in a¬†report¬†exclusively shared with The Hacker News.

VirusTotal, part of Google’s Chronicle security subsidiary, is a malware-scanning service that analyzes suspicious files and URLs and checks for viruses using more than 70 third-party antivirus products.

The attack method involved uploading a DjVu file via the platform’s web user interface that when passed to multiple third-party malware scanning engines could trigger an exploit for a high-severity remote code execution flaw in ExifTool, an open-source utility used to read and edit EXIF metadata information in image and PDF files.

Tracked as CVE-2021-22204 (CVSS score: 7.8), the high-severity vulnerability in question is a case of arbitrary code execution that arises from ExifTool’s mishandling of DjVu files. The issue was patched by its maintainers in a security update released on April 13, 2021.

A consequence of such exploitation, the researchers noted, was that it granted a reverse shell to affected machines linked to some antivirus engines that had not yet been patched for the remote code execution vulnerability.

To be noted, the vulnerability doesn’t affect VirusTotal and in a statement shared with The Hacker News, Bernardo Quintero, its founder, confirmed that it’s the intended behavior and that the code executions are not in the platform itself but in the third-party scanning systems that analyze and execute the samples. The company also said it’s using a version of ExifTool that’s not vulnerable to the flaw.

Cysource said it responsibly reported the bug through Google’s Vulnerability Reward Programs (VRP) on April 30, 2021, following which the security weakness Read more:

You can also read this: Ukraine Invasion Driving DDoS Attacks to All-Time Highs

Leave a Reply

Your email address will not be published. Required fields are marked *