Security researchers have disclosed a safety vulnerability within the VirusTotal platform that might have been probably weaponized to attain distant code execution (RCE).
The flaw, now patched, made it doable to “execute commands remotely within VirusTotal platform and gain access to its various scans capabilities,” Cysource researchers Shai Alfasi and Marlon Fabiano da Silva stated in a report solely shared with The Hacker News.
VirusTotal, a part of Google’s Chronicle safety subsidiary, is a malware-scanning service that analyzes suspicious recordsdata and URLs and checks for viruses utilizing greater than 70 third-party antivirus merchandise.
The assault methodology concerned the add of a DjVu file by the platform’s net person interface, utilizing it to set off an exploit for a high-severity distant code execution flaw in ExifTool, an open-source utility used to learn and edit EXIF metadata info in picture and PDF recordsdata.
Tracked as CVE-2021-22204 (CVSS rating: 7.8), the high-severity vulnerability in query is a case of arbitrary code execution that arises from ExifTool’s mishandling of DjVu recordsdata. The problem was patched by its maintainers in a safety replace launched on April 13, 2021.
A consequence of such an exploitation, the researchers famous, was that it granted entry to not solely a Google-controlled setting, but additionally to greater than 50 inner hosts with high-level privileges.
“The interesting part is every time we uploaded a file with a new hash containing a new payload, VirusTotal forwarded the payload to other hosts,” the researchers stated. “So, not just we had an RCE, but also it was forwarded by Google’s servers to Google’s internal network, its customers, and partners.”
Cysource stated it responsibly reported the bug by Google Vulnerability Reward Programs (VRP) on April 30, 2021, following which the safety weak point was instantly rectified.
This is just not the primary time the ExifTool flaw emerged as a conduit to attain distant code execution. Last 12 months, GitLab mounted a essential flaw (CVE-2021-22205, CVSS rating: 10.0) associated to an improper validation of user-provided photographs, resulting in arbitrary code execution.