Critical RCE Vulnerability Reported in Google’s VirusTotal

The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

In January 2022, a report dubbed “VirusTotal Hacking” revealed how the platform can be used to access stolen login credentials and other sensitive files. Now, the IT security researchers at CySource have reported a method to abuse the VirusTotal malware scanning service to execute arbitrary commands and access multiple internal hosts remotely by using a remote code execution (RCE) vulnerability (CVE-2021-22204).

According to researchers, the vulnerability could allow attackers to weaponize the VirusTotal platform and achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

How Could the Vulnerability be Exploited?

Israeli security services provider CySource’s researchers Shai Alfasi and Marlon Fabiano da Silva embedded a payload in the DjVu file’s metadata for exploiting the vulnerability, identified in ExifTool open-source utility. This utility extracts Exchangeable Image File annotations, metadata, and tags.

Moreover, it can trigger another vulnerability to obtain remote code execution. This vulnerability is triggered by DjVu files and was identified by researcher William Bowling in 2021 in ExifTool 12.23. It was surprising that none of the VirusTotal anti-virus scanners could detect the CySource researchers’ Base64 encoded payload they included in the malicious DjVu file’s metadata.

“Instead of ExifTool detecting the metadata of the file, it executes our payload.”

CySource

The researchers also got a reverse shell that allowed them to access over 50 internal network hosts with high privileges at Google and its other VirusTotal security vendor partners. Every time they uploaded a file with a new hash and a new payload, VirusTotal forwarded it to bots.

This indicates that apart from an RCE, the payload was forwarded by Google servers to the company’s internal network, partners, and customers as well. When researchers were able to invade the networks, they mapped out various services, including MySQL, Kubernetes container orchestration, Oracle databases, web applications, and Secure Shell (SSH).

More Vulnerability News on Hackread.com

1. Hackers mining Monero on Microsoft SQL databases for last 2 years
2. Hackers are using a 19-year-old WinRAR bug to install nasty malware
3. 12-Year-Old vulnerability in Windows Defender risked 1 billion devices
4. Google, Microsoft and Oracle generated the most vulnerabilities in 2021
5. Google Drive accounted for 50% of malicious Office document downloads

Google Released Patch after Eight Months

The vulnerability was disclosed to Google’s vulnerability reward program in April 2021, and the report was accepted in May 2021. However, the fix was dispatched in January 2022, after which CySource received the green signal to share details of the bug.

It is still unclear why Google took so long to fix this vulnerability. VirusTotal is a trusted service from Google’s subsidiary Chronicle, offering access to more than 70 different anti-virus scanning solutions from mainstream security vendors, including ESET, Kaspersky, and 360 Total Security. It is, therefore, quite shocking that a dangerous remote code execution vulnerability plagued this service for over eight months.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism