CVE-2023-32700: Arbitrary Shell Command Execution in LuaTeX before 1.17., TeX Live before 2023 r66984, and MiKTeX before 23.5

A security vulnerability, identified as CVE-2023-32700, has been discovered in LuaTeX, a Unicode-aware TeX engine based on the Lua programming language. This vulnerability allows arbitrary shell command execution when compiling a TeX file obtained from an untrusted source. The issue affects LuaTeX before 1.17., as well as TeX Live before 2023 r66984 and MiKTeX before 23.5.

Exploit Details

The vulnerability lies in the luatex-core.lua file, which allows access to the original io.popen function. This, in turn, enables attackers to execute arbitrary shell commands by injecting malicious code within a TeX file obtained from an untrusted source. When the affected LuaTeX version compiles the malicious file, it inadvertently opens a pathway for external code execution.

Here is a sample code snippet that exploits this vulnerability

\directlua{
  local io_popen = io.popen
  local result = io_popen("echo 'Hello, world!'"):read("*all")
  tex.sprint(result)
}

In the above code snippet, the io.popen function is used to execute the echo shell command, which, in this case, simply outputs 'Hello, world!'. An attacker could potentially replace this with a more malicious command.

Links to Original References

- LuaTeX project website – The official website for LuaTeX, where you can find documentation and download links for the latest versions.
- TeX Live project website – The official website for TeX Live, where you can find documentation, download links and updates on the latest releases.
- MiKTeX project website – The official website for MiKTeX, where you can find documentation, download links and updates on the latest releases.

Users are advised to take the following steps to mitigate the impact of this vulnerability

1. Update to the latest version of LuaTeX (1.17. or later), TeX Live (2023 r66984 or later) and MiKTeX (23.5 or later). The latest version of these TeX engines include patches that address this vulnerability.
2. Validate the authenticity of TeX files before compiling them, especially if they have been obtained from an untrusted source.
3. Be cautious when opening TeX files from unknown sources. Treat these files similar to how you would treat an unknown email attachment or executable file.
4. Restrict the shell-escape feature by setting it to a limited mode. This can be done by adding --shell-escape=restricted or --no-shell-escape in the command options when compiling a TeX file.

Overall, it is essential to keep your software up-to-date, and be wary of files obtained from untrusted sources. This will go a long way in protecting your system from potential attacks exploiting known vulnerabilities such as CVE-2023-32700.

Timeline

Published on: 05/20/2023 18:15:00 UTC
Last modified on: 06/04/2023 03:15:00 UTC