CVE-2004-2167
Vulnerability Description
Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.
Experiment Environment
Debian 8/9
INSTALL & Configuration
tar -xvf latex2rtf-1.9.15.tar.gz;
cd latex2rtf-1.9.15/;
make;
make install; **<= essential**
Problems in Installation & Configuration
(Not set):1 Cannot open the latex2rtf config file 'direct.cfg'
(Not set):1 Locate the directory containing the .cfg files and
(Not set):1 (1) define the environment variable RTFPATH, *or*
(Not set):1 (2) use command line path option "-P /path/to/cfg/file", *or*
(Not set):1 (3) recompile latex2rtf with CFGDIR defined properly
(Not set):1 Current RTFPATH: (null)
(Not set):1 Current CFGDIR: /usr/local/share/latex2rtf/cfg
(Not set):1 Error! Giving up. Please don't hate me.
If you see the above error information, you may miss make install
command after you have compiled this package.
PoCs
LaTeX2rtf 1.9.15 - Remote Buffer Overflow (ExploitDB)
Note: There is a small syntax error when compiling the PoC File. It misses an open brace in the first line of main function.
LaTeX2rtf Remote Buffer Overflow Vulnerability (SecurityFocus)
Note: There is a small syntax error when compiling the PoC File. It misses an open brace in the first line of main function.
LaTeX2rtf Buffer Overflow Lets Remote Users Execute Arbitrary Code (SecurityTracker)
How to trigger vulnerability
% copy PoC File into the workspace
$ gcc -o exploit latex2rtf.c
$ ./exploit > poc.tex
$ ./latex2rtf poc.tex
Segmentation fault
Vulnerability Details
Root Cause
definitions.c:155
strcpy(expanded,macro_piece);
Stack Trace
(gdb) info stack
##0 __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:52
##1 0x08063a93 in expandmacro (macro=0x90909090 <Address 0x90909090 out of bounds>,
opt_param=0x90909090 <Address 0x90909090 out of bounds>, params=-1869574000) at definitions.c:156
##2 0x90909090 in ?? ()
##3 0x90909090 in ?? ()
##4 0x90909090 in ?? ()
......