"Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal"

Security researchers at CySource discovered a security flaw that attackers could have exploited to use the VirusTotal platform as a channel for achieving Remote Code Execution (RCE) on unpatched third-party sandboxing machines used by antivirus engines. VirusTotal is Google's malware-scanning service that checks suspicious files and URLs for viruses using over 70 third-party antivirus products. The flaw, which has now been patched, made it possible to remotely execute commands via the VirusTotal platform and gain access to the platform's scanning capabilities. The attack method involves uploading a DjVu file using VirusTotal's web user interface. When the file is passed to multiple third-party malware scanning engines, it could trigger an exploit for a high-severity RCE flaw in ExifTool, which is an open-source utility used to read and edit EXIF metadata information contained by image and PDF files. The high-severity vulnerability, tracked as CVE-2021-22204, stems from ExifTool's improper handling of DjVu files. The researchers noted that this type of exploitation granted a reverse shell to impacted machines linked to some unpatched antivirus engines. This article continues to discuss the RCE vulnerability that could have allowed malicious actors to take control over unpatched third-party antivirus sandboxes.

THN reports "Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal"