Can You Accept LaTeX Files from Strangers? Ten Years Later

TL;DR

This paper investigates the security risks of malicious LaTeX files, demonstrating how they can collect system data and assessing the effectiveness of existing defenses in online LaTeX services.

Contribution

It introduces a malicious LaTeX package that collects system data and evaluates the security measures of online LaTeX compilation services.

Findings

Malicious LaTeX can extract sensitive system information.

Sandboxing and command restrictions vary in effectiveness.

Some services, like PMLatex, are too permissive.

Abstract

It is well-known that Microsoft Word/Excel compatible documents or PDF files can contain malicious content. LaTeX files are unfortunately no exception either. LaTeX users often include third-party codes through sources or packages (.sty or .cls files). But those packages can execute malicious commands on the users' system, in order to capture sensitive information or to perform denial of service attacks. Checkoway et al. [3] were the first to warn LaTeX users of these threats. Collaborative cloud-based LaTeX editors and services compiling LaTeX sources are particularly concerned. In this paper, we have created a LaTeX package that collects system data and hides them inside the PDF file produced by the target. Then, we have measured what can be recovered by hackers using malicious LaTeX file on online services, and which measures those services have enforced to thwart the threats. Services defend themselves using sandbox or commands restrictions. Commands restrictions are more difficult to setup and we found one service (PMLatex) which is too permissive.