Claims that researchers were able to execute commands within the antivirus platform have been questioned
Doubts have arisen about the veracity of research that purportedly demonstrates a serious vulnerability involving VirusTotal, a Google-owned antivirus comparison and threat intel service.
VirusTotal (VT) offers a service that allows security researchers, sysadmins, and the like to analyze suspicious files, domains, IPs, and URLs through an aggregated service that bundles close to 70 antivirus products and scan engines.
Samples submitted through the service are automatically shared amongst the security community including, but not limited to, the vendors who maintain scanning engines used by VT.
In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within [the] VirusTotal platform and gain access to its various scans capabilities”.
The attack relies on a doctored DJVU file with a malicious payload added to the file’s metadata. This payload relies on the CVE-2021-22204 vulnerability in a metadata analysis tool, Exiftool, to then achieve remote code execution (RCE) and a remote shell.
Cysource researchers’ findings were submitted via Google’s VRP in April 2021 and resolved a month later.
But rather than demonstrating a way to weaponize VirusTotal, as they suggest, all Cysource has shown is a means to hack an unpatched, third-party antivirus toolbox, according to VirusTotal.
In a rebuttal of the research posted as a thread on Twitter, Bernardo Quintero, VirusTotal’s founder, said that the code executions are happening on third-party scanning systems that take and analyze samples obtained from VT rather than VirusTotal itself.
VirusTotal makes no use of the vulnerable version of the Exiftool and, furthermore, none of the affected machines were maintained by VT, according to Quintero.
Quintero said that he informed the researchers of this in response to their initial disclosure last May. He criticized their decision to publish what he argues are misleading findings.
“None [of the] reported machine was from VT and the ‘researchers’ knew it,” according to Quintero.
The Daily Swig contacted Cysource for a response to this criticism and will update this story as and when more information comes to hand.
Cysource responded to us on May 10 with the following statement:
The research was published in full disclosure at The Hacker News and was checked and verified here it is in full description of our security findings.
The research has been conducted through an official Google VRP program. The article details have been published in The Hacker News through a joint collaboration of THN, VT by Google, Google VRP and CySource.