Open wgranados opened 7 years ago
Latex is now cross platform, solution can be found here: 890a3f9c6bd4de12ee90eb826469e8c72e96b31a. In this solution we also moved the whole compilation of latex files to codecogs, and they have security testing for this type of injection.
Reverted back to normal compilation with pdflatex. After doing some research I have come across the following articles: https://0day.work/hacking-with-latex/ and http://jdlm.info/ds-docker-demo/#1. So I'll have to isolate the pdflatex enviornment in a docker instance.
docker instance is setup, some more protection is needed so the software is not run under root. Also note that, docker is not a completely safe alternative from what I've read.
Turns out that since LaTeX is turing complete you can abuse it by injecting code into math mode that's not really recognizable so can't be patched completely. Will probably have to setup this service to connect with another online host. For example:
[22:28:26] +Disconnect AR: .latex $distractmoar\catcode42=0 *catcode92=9\\*catcode`*-=9 *newcount\*x *newcount-*N *N=2-*newwrite*ddx *x=\-1*loop*ifnum\\*x<*N-*advance *x by 0*repeat-\-\-$
This started an infinite loop which borked the bot.[23:38:09] +Disco n Nectar: .latex $\catcode42=0my*catcode92=9*catcode`*-=9di\str\act *newcount\*x *newcount-*N *N=*number`F-*newwrite*ddx *x=\-1*loop*ifnum\\*x<*N-*immediate\*openout*ddx=*the*x.wgmaweeb*advance *x by -1*repeat\i\on$\noitcartsidym
And this created a lot of files locally[01:29:07] +kota ◕‿◕: .latex $\input{/etc/passwd}$
Which created this: http://i.imgur.com/xrbrGuW.png