Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer

By Stephen Checkoway, Hovav Shacham, and Eric Rescorla.

In Proceedings of LEET 2010. USENIX, April, 2010.

Abstract

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. We build a TeX virus that spreads between documents on the MikTeX distribution on Windows XP; we demonstrate data exfiltration attacks on web-based LaTeX previewer services.

Material

• Proceedings version in PDF.
• Slides from LEET 2010 in PDF.
• Full version, local copy in PDF, PS, and DVI.
• Source in LaTeX and the class file on github.

Reference

@InProceedings{checkoway-shacham-rescorla:texhack:leet2010,
  author =      {Stephen Checkoway and Hovav Shacham and Eric Rescorla},
  title =       {Are Text-Only Data Formats Safe? {O}r, Use This
                 {\LaTeX} Class File to Pwn Your Computer},
  year =         2010,
  month =        apr,
  organization = {USENIX},
  editor =       {Michael Bailey},
  booktitle =    {Proceedings of LEET 2010},
  url =          {https://checkoway.net/papers/tex2010},
}