CESA-2009-009 - rev 1
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
mimetex.cgi multiple stack-based buffer overflows
Programs affected: mimetex prior to the 17 June 2009 version
Severity: Arbitrary code execution; information disclosure
mimetex.cgi is a popular helper executable for programatically rendering
mathematical equations as an image. Various web forums use it to enhance their
discussion of math and science. For better or worse, you can easily find
consumers using a Google search:
http://images.google.com/images?hl=en&q=inurl:mimetex.cgi
It had a few classic stack-based buffer overflows, triggered by the following
TeX expressions:
./mimetex.cgi "\picture(12,34){(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$10,10){testing}}"
./mimetex.cgi "\circle(10;`perl -e 'print "A"x400'`)"
./mimetex.cgi "\input[`perl -e 'print "A"x2000'`]{mimetex.cgi}"
In addition, the \environ, \input and \counter directives may be unsuitable
for exposure to untrusted input from the internet and have therefore been
disabled by default.
Credits
- Google - found on Google's time. Be aware that nothing on my personal
pages or blog represents Google... obviously.
CESA-2009-009 - rev 1
Chris Evans
scarybeasts@gmail.com