There is a security vulnerability in the VirusTotal platform that has been discovered by researchers, and it has the potential to be exploited by an attacker to conduct RCE.
Shai Alfasi & Marlon Fabiano da Silva from the Cysource research team has stated:-
“They found a way to execute commands remotely within VirusTotal platform and gain access to its various scans capabilities.”
Technical Analysis
VirusTotal is a service that uses over 70 different third-party antivirus products to scan suspicious files and URLs for viruses. Here, through the platform’s web user interface, an attacker uploads a DjVu file to the platform in order to conduct the attack.
An exploit can be triggered with this in order to exploit a high-severity vulnerability in the ExifTool. Using ExifTool, one can read and edit EXIF metadata information in both scanned images and PDF files. ExifTool is an open-source utility.
When the ExifTool was executed, the attackers were planning on using the CVE-2021-22204, which would cause these scanners to run the payload as soon as the CVE-2021-22204 (CVSS score: 7.8) was triggered.
By exploiting this vulnerability an attacker can gain access to the following things with high-level privileges:-
- Google-controlled environment.
- Over 50 internal hosts.
On April 30, 2021, Cysource reported the bug to Google’s Vulnerability Reward Programs (VRP). However, the loophole was immediately fixed once the loophole was reported.
ExifTool has not only been targeted as a conduit for remote code execution in the past but it has also been used for other purposes.
