Security researchers discovered a way to abuse the well-known VirusTotal malware scanning service owned by Google subsidiary Chronicle, to remotely run arbitrary commands on the platform, and access multiple internal hosts.
VirusTotal provides access to over 70 different anti-virus scanners from security vendors such as Kaspersky, ESET, and 360 Total Security, using several different methods to submit malware samples.
Trying out an idea, researchers Shai Alfasi and Marlon Fabiano da Silva at Israeli security vendor CySource embedded a payload in the metadata of a DjVu file, to exploit an existing vulnerability in the open source ExifTool utlity.
ExifTool extracts Exchangeable Image File annotations, tags and metadata, and a vulnerability in ExifTool 12.23 found by researcher William Bowling last year can be triggered by DjVu files to obtain remote code execution.
DjVu is a relatively old and no longer developed file format devised by AT&T, used to store scanned images.
None of the VirusTotal anti-virus scanners detected the CySource researchers' Base64 encoded payload added to the metadata of the malicious DjVu file.
The researchers found that "instead of exiftool detecting the metadata of the file it executes our payload."
On top of remote code execution, the researchers got a reverse shell that made it possible to access more than 50 internal network hosts at Google and its VirusTotal security vendor partners, with high privileges.
"The interesting part is every time we uploaded a file with a new hash containing a new payload, virustotal forwarded the payload to other hosts.
"So, not just we had a RCE, but also it was forwarded by Google's servers to Google's internal network, it customers and partners," the CySource team wrote.
Once inside the networks, the researchers mapped out several services such Kubernetes container orchestration, MySQL and Oracle databases, Secure Shell (SSH) and other web applications.
CySource disclosed the vulnerability to Google's vulnerability reward programme end of April 2021, and the security vendor's report was accepted in on May 21 last year.
A fix for the vulnerability was deployed in January this year, and GoogleVRP cleared CySource to publish details about the bug at the same time.
Neither Google nor CySource explained why it took until January 2022 to fix the vulnerability.