Latex to RCE, Private Bug Bounty Program

I had participated in a private bug bounty program about one year ago, I want to publish what I’ve learned from. The CMS was a journal site giving service to authors, editors and etc. I accomplished to get editor account by an XSS which I’m not going through with this story.

In the editor’s role, there were many options, interesting ones were “XML checker” and “Converting LaTex codes to PDF”. The first one lets which is not related to our topic, the second one seemed interesting.

Converting LaTex code to PDF

A remote attacker can gain remote command execution thanks to LaTex code conversion, following links might be helpful:

1. https://tex.stackexchange.com/questions/262625/security-latex-injection-hack
2. https://0day.work/hacking-with-latex/
3. http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

So I crafted an exploit code shown below in order to read local files in the server:

Resulted in :

Bingo, I’d the /etc/passwd content. The payload to command execution:

Resulted in:

Out of Band Technique

The PDF conversion was annoying, I wanted to escalate my privileged, so I automated the procedure by

1. Writing a code exploiting the flaw (LaTex to PDF)
2. Writing a server by python receiving the result, converting it to clear text, saving it.

The flow is shown below:

Consequently:

Afterward, I got conformable with this exploit, seeking the server, I got the database and Elastic-Search by SSRF and had fun.