Latex to RCE, Private Bug Bounty Program

Yasho
Yasho
Jul 6, 2018 · 2 min read

I had participated in a private bug bounty program about one year ago, I want to publish what I’ve learned from. The CMS was a journal site giving service to authors, editors and etc. I accomplished to get editor account by an XSS which I’m not going through with this story.

In the editor’s role, there were many options, interesting ones were “XML checker” and “Converting LaTex codes to PDF”. The first one lets which is not related to our topic, the second one seemed interesting.

Converting LaTex code to PDF

A remote attacker can gain remote command execution thanks to LaTex code conversion, following links might be helpful:

  1. https://tex.stackexchange.com/questions/262625/security-latex-injection-hack
  2. https://0day.work/hacking-with-latex/
  3. http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

So I crafted an exploit code shown below in order to read local files in the server:

Resulted in :

Bingo, I’d the /etc/passwd content. The payload to command execution:

Resulted in:


Out of Band Technique

The PDF conversion was annoying, I wanted to escalate my privileged, so I automated the procedure by

  1. Writing a code exploiting the flaw (LaTex to PDF)
  2. Writing a server by python receiving the result, converting it to clear text, saving it.

The flow is shown below:

Consequently:

Afterward, I got conformable with this exploit, seeking the server, I got the database and Elastic-Search by SSRF and had fun.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store