CVE-2016-10243
published 2017-05-02CVE-2016-10243: TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.15%
93.5th percentile
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | texlive-base | < texlive-base 2016.20161130-1 (bookworm) | texlive-base 2016.20161130-1 (bookworm) |
| debian | texlive-bin | < texlive-base 2016.20161130-1 (bookworm) | texlive-base 2016.20161130-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via TeX's \write18 (shell escape) mechanism, where mpost is included in the shell_escape_commands whitelist in texmf.cnf, allowing it to spawn arbitrary external programs. ↗
- →mpost (a program whitelisted in shell_escape_commands) can itself invoke non-whitelisted external programs, enabling arbitrary code execution when a malicious TeX document is compiled. ↗
- →Attack vector is a specially crafted TeX file; monitor for suspicious TeX document processing that invokes mpost or unexpected child processes spawned from mpost. ↗
- →Review texmf.cnf for the shell_escape_commands directive; presence of 'mpost' in this list on unpatched installations indicates exploitable configuration. ↗
- →Reference exploit/technique writeup available at https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ — useful for understanding attack payloads in TeX documents. ↗
- ·The vulnerability exists specifically because 'mpost' is listed in the shell_escape_commands whitelist inside texmf.cnf. The fix involves removing mpost from this whitelist or patching mpost to disallow spawning further external programs. ↗
- ·Red Hat Enterprise Linux 7 is marked 'Will not fix', meaning patched packages may not be available for RHEL7 and detection/mitigation must be applied manually. ↗
- ·Upstream fix is tracked in TeX Live SVN revision 42605; installations not updated to at least this revision remain vulnerable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
TeX Live vulnerability
vendor_ubuntu·2017-08-22
CVE-2016-10243 TeX Live vulnerability
Title: TeX Live vulnerability
Summary: TeX Live could be made to run programs as your login if it
opened a specially crafted file.
It was discovered that TeX Live incorrectly handled certain
system commands. If a user were tricked into processing a
specially crafted TeX file, a remote attacker could execute
arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
texlive: mpost allows to run non-whitelisted external programs
vendor_redhat·2016-11-28·CVSS 9.8
CVE-2016-10243 [CRITICAL] texlive: mpost allows to run non-whitelisted external programs
texlive: mpost allows to run non-whitelisted external programs
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
Package: texlive (Red Hat Enterprise Linux 6) - Not affected
Package: texlive (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2016-10243: texlive-base - TeX Live allows remote attackers to execute arbitrary commands by leveraging inc...
vendor_debian·2016·CVSS 9.8
CVE-2016-10243 [CRITICAL] CVE-2016-10243: texlive-base - TeX Live allows remote attackers to execute arbitrary commands by leveraging inc...
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
Scope: local
bookworm: resolved (fixed in 2016.20161130-1)
bullseye: resolved (fixed in 2016.20161130-1)
forky: resolved (fixed in 2016.20161130-1)
sid: resolved (fixed in 2016.20161130-1)
trixie: resolved (fixed in 2016.20161130-1)
GHSA
GHSA-7674-jxfw-vhf5: TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf
ghsa_unreviewed·2022-05-17
CVE-2016-10243 [CRITICAL] CWE-20 GHSA-7674-jxfw-vhf5: TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
OSV
CVE-2016-10243: TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf
osv·2017-05-02·CVSS 9.8
CVE-2016-10243 [CRITICAL] CVE-2016-10243: TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-10243 texlive: mpost allows to run non-whitelisted external programs [fedora-all]
bugzilla·2017-03-06·CVSS 9.8
CVE-2016-10243 [CRITICAL] CVE-2016-10243 texlive: mpost allows to run non-whitelisted external programs [fedora-all]
CVE-2016-10243 texlive: mpost allows to run non-whitelisted external programs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
Bugzilla
CVE-2016-10243 texlive: mpost allows to run non-whitelisted external programs
bugzilla·2017-03-06·CVSS 9.8
CVE-2016-10243 [CRITICAL] CVE-2016-10243 texlive: mpost allows to run non-whitelisted external programs
CVE-2016-10243 texlive: mpost allows to run non-whitelisted external programs
The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago.
Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document.
References:
http://seclists.org/oss-sec/2017/q1/555
https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
Upstream patch:
https://www.tug.org/svn/texlive?view=revision&revision=42605
Discussion:
Created texlive tracking bugs for this issue:
Affects: fedora-all [bug 1429454]
http://www.debian.org/security/2017/dsa-3803http://www.openwall.com/lists/oss-security/2017/03/05/1http://www.securityfocus.com/bid/96593https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B7CNJ4HKX7X6V7VMN3UCU7KPY6IX4XRB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL6PUKPWEXYIPIAZRIX5ZLQWCSALVLFP/https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/https://security.gentoo.org/glsa/201709-07https://www.tug.org/svn/texlive?view=revision&revision=42605http://www.debian.org/security/2017/dsa-3803http://www.openwall.com/lists/oss-security/2017/03/05/1http://www.securityfocus.com/bid/96593https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B7CNJ4HKX7X6V7VMN3UCU7KPY6IX4XRB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL6PUKPWEXYIPIAZRIX5ZLQWCSALVLFP/https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/https://security.gentoo.org/glsa/201709-07https://www.tug.org/svn/texlive?view=revision&revision=42605
2017-05-02
Published