Security researchers have revealed a security issue that could enable attackers to exploit the VirusTotal platform for remote code execution (RCE) on unpatched third-party sandboxing machines employed by antivirus engines.

The vulnerability, now fixed,  allowed to “execute commands remotely within [through] VirusTotal platform and gain access to its various scans capabilities,” Cysource researchers Shai Alfasi and Marlon Fabiano da Silva said in a report exclusively shared with The Hacker News.

VirusTotal, a malware scanning service and part of Google’s Chronicle security subsidiary,  analyses suspicious files and URLs and looks for viruses using more than 70 third-party antivirus products.

The attack entails uploading a DjVu file via the platform’s web user interface, which when sent to multiple third-party malware scanning engines could initiate an exploit for a critical remote code execution flaw in ExifTool, an open-source utility used for reading and editing EXIF metadata information in image and PDF files.

The vulnerability, labelled CVE-2021-22204 (CVSS score: 7.8), is a high-severity vulnerability that can lead to an arbitrary code execution that stems from ExifTool’s mishandling of DjVu files. The issue was fixed by its maintainers in a security update released on April 13, 2021.

Researchers observed that one of the effects of exploitation was a reverse shell to impacted machines linked to some antivirus engines that had not yet been updated for the remote code execution vulnerability. 

The vulnerability doesn’t affect VirusTotal and in a statement shared with The Hacker News, Bernardo Quintero, its founder, confirmed that it’s the intended behaviour and that the code executions are not in the platform itself but in the third-party scanning systems that analyze and execute the samples. The company also said it’s using a version of ExifTool that’s not vulnerable to the flaw.

Cysource reported the bug through Google’s Vulnerability Reward Programs (VRP) on April 30, 2021, after which the vulnerability was immediately fixed.

This is not the first time the ExifTool flaw emerged as a conduit to achieve remote code execution. Last year, GitLab fixed a critical flaw (CVE-2021-22205, CVSS score: 10.0) related to improper validation of user-provided images, leading to arbitrary code execution.