
Hacking with LaTeX - internetwache
https://0day.work/hacking-with-latex/
======
Kristine1975
It's LaTeX, not Latex. And it's TeX-the-language (as opposed to TeX-the-
program) that's Turing-complete; LaTeX is a macro package written in TeX.

Also, from 2011: [https://cseweb.ucsd.edu/~hovav/dist/tex-
login.pdf](https://cseweb.ucsd.edu/~hovav/dist/tex-login.pdf)

 _TeX files are a common method of collaboration for computer science
professionals. It is widely assumed by users that LaTeX files are safe; that
is, that no significant harm can come of running LaTeX on an arbitrary
computer. Unfortunately, this is not the case: In this article we describe how
to exploit LaTeX to build a virus that spreads between documents on the MiKTeX
distribution on_

 _Windows XP as well as how to use malicious documents to steal data from web-
based LaTeX previewer services._

Edit: It seems at least TeXlive has configuration options to disallow access
to files outside the current directory:
[http://tex.stackexchange.com/a/116927](http://tex.stackexchange.com/a/116927)

~~~
unfamiliar
>It's LaTeX, not Latex.

Who cares, really?

~~~
duncan_bayne
People who cultivate a level of attention to detail that is seen as pedantic
by many, but that is utterly essential for creating high quality software.

~~~
gaur
Maybe we can get some of those people to work on LaTeX.

For example, why should the commands for upright Greek letters be different
for different fonts? \upalpha for one font, \alphaup for another, and
\otheralpha for another -- it's a damn mess.

Perhaps someone who's cultivated a level of attention to detail could spend
some time fixing this kind of buggy crap, instead of spending time telling
people how to properly capitalize LaTeX.

------
radarsat1
> That's because Latex is turing complete and that means...

The article is of course interesting, but it's really annoying to read claims
that Turing completeness has anything to do with security. The danger comes
from interaction with the external environment, not whether or not the
language is Turing complete. If HTML had a "\write" equivalent, it would be
just as dangerous. Conversely, the script,

    
    
        \newwrite\outfile
        \openout\outfile=cmd.tex
        \write\outfile{\imm\diate\wwrite\args}
        \write\outfile{\inp\iput\cmd}
        \closeout\outfile
    

Doesn't require a loop or anything indicating a Turing complete language. That
said the Turing complete aspects of Latex can be very useful, for e.g. using
it to calculate results during compilation. But it's the \write etc that make
it dangerous, not \loop.

~~~
JadeNB
> \newwrite\outfile

> \openout\outfile=cmd.tex

> \write\outfile{\imm\diate\wwrite\args}

> \write\outfile{\inp\iput\cmd}

> \closeout\outfile

Though a longtime TeXer, I've never used the output facilities very much, so
it's probably my fault; but I can't understand what this does (hence what it
illustrates), and some things seem like typos. For example, shouldn't
`\imm\diate`, `\wwrite`, and `\iput` be `\immediate`, `\write`, and `\input`?
(I don't know about `\inp`.) What does this do?

~~~
radarsat1
It's from the article.

~~~
JadeNB
Oops! I usually read comments first, to see if the article is worth it. Sorry
about that.

------
JorgeGT
It should be noted that shell escape is disabled by default in standard
installations and the -shell-escape flag must be explicitly passed during
compilation to enable it.

So if someone is knowledgeable enough to add this flag I would assume that
they know what they are doing, such as the guys cited in the article who
create an isolated Docker container for each compilation cycle [note: very
nice use of Docker!].

~~~
zaphar
With the caveat, of course, that when it comes to security you can't just say
"Docker and done". Docker is one layer of defense but it's not completely
vetted and depending on it to fix all your security problems is a terrible
practice to get into.

------
legulere
> That's because Latex is turing complete

You don't need something to be turing complete to exploit it and something
being turing-complete doesn't mean you can exploit it (except DoS, if the
process isn't killed automatically after a while).

------
vanilla
combining that with a docker container breakout would be interesting

[https://news.ycombinator.com/item?id=7909622](https://news.ycombinator.com/item?id=7909622)
(Docker container breakout?)

------
agumonkey
ICFP 2008 submission [http://sdh33b.blogspot.fr/2008/07/icfp-
contest-2008.html](http://sdh33b.blogspot.fr/2008/07/icfp-contest-2008.html)

[http://pages.physics.cornell.edu/~shicks/icfp08/proof.png](http://pages.physics.cornell.edu/~shicks/icfp08/proof.png)

[http://pages.physics.cornell.edu/~shicks/icfp08/proof.pdf](http://pages.physics.cornell.edu/~shicks/icfp08/proof.pdf)

------
derrzzaa
I'd hoped this wasn't about the software.

