Vulnerability Reproduction DataSet

This Vulnerability Reproduction DataSet is created and maintained by Penn State University

View on GitHub

CVE-2004-2167

Vulnerability Description

Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.

Experiment Environment

Debian 8/9

Docker Image

DockerFile

INSTALL & Configuration

tar -xvf latex2rtf-1.9.15.tar.gz;
cd latex2rtf-1.9.15/;
make;
make install; **<= essential**

Problems in Installation & Configuration

(Not set):1 Cannot open the latex2rtf config file 'direct.cfg'
(Not set):1 Locate the directory containing the .cfg files and
(Not set):1 (1) define the environment variable RTFPATH, *or*
(Not set):1 (2) use command line path option "-P /path/to/cfg/file", *or*
(Not set):1 (3) recompile latex2rtf with CFGDIR defined properly
(Not set):1 Current RTFPATH: (null)
(Not set):1 Current CFGDIR: /usr/local/share/latex2rtf/cfg
(Not set):1 Error! Giving up. Please don't hate me.

If you see the above error information, you may miss make install command after you have compiled this package.

PoCs

LaTeX2rtf 1.9.15 - Remote Buffer Overflow (ExploitDB)

Note: There is a small syntax error when compiling the PoC File. It misses an open brace in the first line of main function.

LaTeX2rtf Remote Buffer Overflow Vulnerability (SecurityFocus)

Note: There is a small syntax error when compiling the PoC File. It misses an open brace in the first line of main function.

LaTeX2rtf Buffer Overflow Lets Remote Users Execute Arbitrary Code (SecurityTracker)

How to trigger vulnerability

% copy PoC File into the workspace
$ gcc -o exploit latex2rtf.c
$ ./exploit > poc.tex
$ ./latex2rtf poc.tex
Segmentation fault

Vulnerability Details

Root Cause

definitions.c:155

                strcpy(expanded,macro_piece);

Stack Trace

(gdb) info stack
##0  __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:52
##1  0x08063a93 in expandmacro (macro=0x90909090 <Address 0x90909090 out of bounds>, 
    opt_param=0x90909090 <Address 0x90909090 out of bounds>, params=-1869574000) at definitions.c:156
##2  0x90909090 in ?? ()
##3  0x90909090 in ?? ()
##4  0x90909090 in ?? ()
......

References