cbcvebase.
CVE-2016-10243
published 2017-05-02

CVE-2016-10243: TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.15%
93.5th percentile
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiantexlive-base< texlive-base 2016.20161130-1 (bookworm)texlive-base 2016.20161130-1 (bookworm)
debiantexlive-bin< texlive-base 2016.20161130-1 (bookworm)texlive-base 2016.20161130-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via TeX's \write18 (shell escape) mechanism, where mpost is included in the shell_escape_commands whitelist in texmf.cnf, allowing it to spawn arbitrary external programs.
  • mpost (a program whitelisted in shell_escape_commands) can itself invoke non-whitelisted external programs, enabling arbitrary code execution when a malicious TeX document is compiled.
  • Attack vector is a specially crafted TeX file; monitor for suspicious TeX document processing that invokes mpost or unexpected child processes spawned from mpost.
  • Review texmf.cnf for the shell_escape_commands directive; presence of 'mpost' in this list on unpatched installations indicates exploitable configuration.
  • Reference exploit/technique writeup available at https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ — useful for understanding attack payloads in TeX documents.
  • ·The vulnerability exists specifically because 'mpost' is listed in the shell_escape_commands whitelist inside texmf.cnf. The fix involves removing mpost from this whitelist or patching mpost to disallow spawning further external programs.
  • ·Red Hat Enterprise Linux 7 is marked 'Will not fix', meaning patched packages may not be available for RHEL7 and detection/mitigation must be applied manually.
  • ·Upstream fix is tracked in TeX Live SVN revision 42605; installations not updated to at least this revision remain vulnerable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.