Researchers Used VirusTotal To Take Control Unpatched 3rd-Party Antivirus Sandboxes

Researchers recently discovered a vulnerability in the VirusTotal platform that might have allowed attackers to use it to get remote code execution (RCE) on unpatched third-party sandboxing machines that utilize antivirus engines.

Researchers Used VirusTotal To Take Control Unpatched 3rd-Party Antivirus Sandboxes
VirusTotal / Screenshot taken from the official VirusTotal website

Flaw in the VirusTotal Platform

Cysource discovered a means to execute commands remotely within the VirusTotal platform and gain access to its numerous scan capabilities after a detailed security research by Cysource's research team lead by Shai Alfasi and Marlon Fabiano da Silva.

A part of Google's Chronicle security subsidiary, VirusTotal checks for viruses and analyzes suspicious files using more than 70 third-party antivirus software.

However, the report clarified that the vulnerability doesn't affect VirusTotal.

Bernardo Quintero, VirusTotal founder, told The Hacker News that the code executions are in the third-party scanning systems that analyze and execute the samples, not in the platform itself. The company also stated that it is utilizing an ExifTool version that is not affected by the issue.

What Exactly Is the Problem?

CySource mentioned that the initial plan for the investigation was to leverage CVE-2021-22204 (CVSS score: 7.8) so that VirusTotal's scanners would run the payload as soon as the ExifTool was launched. ExifTool is an open-source tool that reads and edits the EXIF metadata in picture and PDF files.

(Photo : VirusTotal / Screenshot taken from the official VirusTotal website)

To be more specific, the attack approach entailed uploading a DjVu file via the platform's web user interface, which could be used to trigger an exploit for a high-severity remote code execution bug in ExifTool when it was passed to several third-party malware scanning engines.

(Photo : VirusTotal / Screenshot taken from the official VirusTotal website)

The Hacker News noted that the high-severity flaw in question, classified as CVE-2021-22204, is a case of arbitrary code execution caused by ExifTool's mishandling of DjVu files. The problem was fixed in a security update provided on April 13, 2021.

(Photo : VirusTotal / Screenshot taken from the official VirusTotal website)

CySource claimed it appropriately disclosed the vulnerability on April 30, 2021, through Google's Vulnerability Reward Programs (VRP), and the security flaw was promptly fixed.

The ExifTool Flaw Has Been Used Before as a Means of Obtaining Remote Code Execution

GitLab has patched a major hole (CVE-2021-22205, CVSS score: 10.0) that allowed arbitrary code execution via improper validation of user-provided images in 2021.

Rapid7 GitLab described the flaw as an authenticated vulnerability caused by sending user-provided images to the service's embedded version of ExifTool. ExifTool's mishandling of DjVu files allowed a remote attacker to run arbitrary commands as the git user, a flaw that was eventually assigned CVE-2021-22204.

According to Gitlab, this flaw was addressed and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021.

This publicly available exploit affects self-managed customers running the following GitLab versions:

  • 11.9.x - 13.8.7
  • 13.9.0 - 13.9.5
  • 13.10.0 - 13.10.2

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics