Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Researchers Find RCE Vulnerability on VirusTotal

Now Reading
Researchers Find RCE Vulnerability on VirusTotal

Cysource experts discovered an RCE vulnerability that allowed “remotely executing commands on the VirusTotal platform and accessing various scanning capabilities.”

The researchers say that the bug was discovered a year ago, in April 2021, but Google, which owns VirusTotal, only recently gave permission to publish information about the vulnerability.

After a deep security research by Cysource research team led by Shai Alfasi & Marlon Fabiano da Silva, we found a way to execute commands remotely within VirusTotal platform and gain access to its various scans capabilities.Cysource experts told.
Marlon Fabiano da Silva

Marlon Fabiano da Silva

Let me remind you that we also said that RCE vulnerability was fixed in Sophos Firewall, and also that Expert Investigated Vulnerability in Snort Intrusion Prevention System.

The attack on VirusTotal was possible by uploading a specially crafted DjVu file through a web user interface. Such a file could be used to launch an exploit related to ExifTool, an open source utility used to read and edit EXIF metadata in images and PDF files.

Virustotal.com analyzed our file and none of the antiviruses detected the payload added to the file’s metadata.Cysource experts explained.

At the root of the problem found by experts is a bug, which received the identifier CVE-2021-22204 (7.8 points on the CVSS scale) and represents the execution of arbitrary code that occurs due to incorrect handling of ExifTool with DjVu files. This issue was fixed back in April 2021.

In their report, the experts write that the exploitation of this vulnerability in the context of VirusTotal provided not only access to an environment controlled by Google, but also gave privileged access to 50+ internal hosts.

RCE vulnerability on VirusTotal

Interestingly, every time we uploaded a file with a new hash containing a new payload, VirusTotal forwarded the payload to new hosts. So we didn’t just have RCE, but Google’s servers were redirecting it to the Google intranet, to their customers and partners.the experts say.

Currently, the vulnerability has already been fixed, and VirusTotal no longer allows penetration into the Google infrastructure.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response