Are there any dangerous commands in LaTeX?
Category 1
\newwrite\out
\immediate\openout\out=\jobname
\immediate\write\out{Fool!}
\bye
This will overwrite the TeX file.
TeX will obey your instructions even if they're foolish. However, it will refuse to write file above the current working directory (under the standard settings of the most common distributions).
Obviously, if the current directory is /
and you run TeX with superuser privileges, you can overwrite anything on your system; but this is true of every scripting language interpreter that's able to write out files, so not a specific thing of TeX.
Category 2
If you run TeX with -shell-escape
enabled and sufficient privileges, you can execute any program, including rm -f /
. So be careful when enabling -shell-escape
. Some packages, notably minted
require -shell-escape
. Examine the input file you receive from other people before processing it.
Category 3
TeX engines different from LuaTeX only allocate a maximum amount of memory.
It's easy to make TeX loop forever without wasting resources with
\def\fool{\fool}\fool
On the other hand, complicated graphics with LuaTeX, that has dynamic allocation of memory, can lead to consuming vast amount of resources.
Category 4
Redefine a primitive in a wrong way and you'll be welcomed by puzzling error messages such as
! A <box> was supposed to be here.
<to be read again>
-
l.9 \end{document}
which is produced by
\documentclass{article}
\renewcommand{\box}[1]{-#1-}
\begin{document}
\box{abc}
\end{document}
The most dangerous command is \renewcommand
(or \def
). Another instance is the following
\documentclass{article}
\renewcommand{\fi}{whatever}
\begin{document}
\end{document}
that makes LaTeX stop with the very puzzling error message
! LaTeX Error: Missing \begin{document}.
See the LaTeX manual or LaTeX Companion for explanation.
Type H <return> for immediate help.
...
l.3 \begin{document}
If you have a LaTeX-allergy, then all LaTeX is dangerous. ;-)
To be more serious:
You might be interested in these documents:
A platform independent computer virus
by Keith Allen McMillan
URL: http://vxheaven.0l.wtf/lib/vkm00.html
URL: ftp://ftp.cerias.purdue.edu/pub/doc/viruses/KeithMcMillan-PlatformIndependantVirus.ps
Summary:
In this master-thesis the author elaborates on his research regarding the question whether a platform-independent virus can be implemented in LaTeX.
The author defines viruses as follows: A computer virus is a fragment of a computer program whereof the user of the program is not aware. When the program is executed, the viral fragment takes control and performs the actions it is programmed to perform. Purposes of viruses:
- Propagation on the infected computer-system by copying themselves or causing other programs to copy them.
- Protecting themselves from detection.
- An optional "payload". The "payload" can be malicious action.
The author distinguishes viruses from rabbits—the latter are not fragments but they are entire programs—and worms. Worms are self-contained self-replicating computer programs whose spreading is not focused on the files of the infected computer-system but whose spreading is focused on a network-environment, i.e., making copies of themselves on as many machines as possible.
Towards the end of the master-thesis, the author outlines how to program a virus in LaTeX which can without modification run and spread on a variety of computer platforms as long as these platforms support LaTeX and GNU emacs. In order to prevent unleashing such a virus, the actual code used in his research is not presented. The LaTeX/GNU emacs virus outlined does not have a payload and does only infect LaTeX-files with filename-extension .tex in the current directory where the \documentstyle
-directive contains a comment %DoNotInfectMe
by placing itself behind that directive.
The author explains that
- GNU emacs is used for providing the virus with a file containing a list of target-files/.tex-files in the current directory that can be infected.
- LaTeX is used for processing those macros that do the work of infection.
- The author outlines how to structure the LaTeX code executed by the virus and the LaTeX macros that constitute the routines of the virus.
Don’t take LaTeX files from strangers
by Steven Checkoway, Hovav Shacham, and Eric Rescorla
URL: https://www.usenix.org/system/files/login/articles/73506-checkoway.pdf
URL: https://hovav.net/ucsd/dist/tex-login.pdf
Quote from the abstract:
TeX, LaTeX, and BibTeX files are a common method of collaboration for computer science professionals. It is widely assumed by users that LaTeX files are safe; that is, that no significant harm can come of running LaTeX on an arbitrary computer. Unfortunately, this is not the case: In this article we describe how to exploit LaTeX to build a virus that spreads between documents on the MiKTeX distribution on Windows XP as well as how to use malicious documents to steal data from web-based LaTeX previewer services.
Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer
by Steven Checkoway, Hovav Shacham, and Eric Rescorla
URL: https://hovav.net/ucsd/dist/texhack.pdf
Quote from the abstract:
We show that malicious TeX, BIBTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through thefile I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. We build a TeX virus that spreads between documents on the MiKTeX distribution on Windows XP; we demonstrate data exfiltration attacks on web-based LaTeX previewer services.
Hacking with LaTeX
by Sebastian Neef
URL: https://0day.work/hacking-with-latex/
The author elaborates on the capability of (La)TeX to create/write and read text files via \input
/\read
/\write
and on \write18
. \input
/\read
/\write
could be used for reading/copying/overwriting sensitive files. \write18
can be used for doing harm by exexuting programs.
LaTeX Malicious PDF Generation
by admin
URL: http://blog.9bplus.com/latex-malicious-pdf-generation/
The author outlines that LaTeX is used for creating pdf-files and that there are LaTeX packages like the package movie15
which can be used for integrating .swf
-files (Shockwave Flash Files) into .pdf-files. .swf
-files in turn can be malicious.
(Remark by me, Ulrich Diez: The "danger" lies in the fact that like many other pdf-creation-tools LaTeX can be used for integrating objects/items into .pdf-files. Integrated objects/items in turn do not necessarily need to be created by means of LaTeX, and can be malicious.)
Summa summarum:
With many of the things explained in these elaborates, the danger does neither come per se from using LaTeX, nor has something to do with producing LaTeX-code with inherent malignancy, but the danger comes from applying LaTeX/LaTeX-code to resources (.swf-files, scripts that get executed by the pdf-viewer, etc) that are not trustworthy/that are compromised.
Someone might (ab)use (La)TeX's capability of writing external files for producing huge garbage-files again and again until the SD-card/the SSD is damaged due to the amount of writing-cycles.
Besides this you can use (La)TeX for writing things in cryptic ways.
When writing my answer to the question "Macro for mass hyper-reference?" I took the opportunity to show some of them.
I leave judging whether this is dangerous to others.
In any case you can write in cryptic ways (where one doesn't immediately see what the code does) directives for creating garbage-files or carrying out \write18
-calls.
\outer
is a good candidate for generating unintended results.
Making a command \outer
after having added it to a hook can cause trouble when it comes to appending to that hook:
The minimal example
\documentclass{article}
\AtEndDocument{\one}
\outer
\def\one{one}
\AtEndDocument{\two}
\def\two{two}
\begin{document}
\end{document}
delivers
Runaway text?
! Forbidden control sequence found while scanning text of \toks@.
<inserted text>
}
l.6 \AtEndDocument{\two}
\outer
-tokens inside \if..\else..\fi
also trigger error-messages:
The minimal example
\documentclass{article}
\outer\def\macro{}
\begin{document}
\iffalse\macro\fi
\end{document}
delivers
! Incomplete \iffalse; all text was ignored after line 6.
<inserted text>
\fi
l.6 \iffalse\macro
\fi
?
By the way:
All this does not answer the question whether there is a (single) command in LaTeX that is dangerous.
So I don't understand why this answer of mine gets so many "likes" although it does not really answer the question. ;->
(But using LaTeX's macro-capabilities, you can create macros that can be used as single commands which trigger the execution of a lot of code/of a lot of directives/instructions which have an effect which can probably be considered dangerous.)
In my opinion the most dangerous command is \globaldefs1
. Don't try! ;-)
\documentclass{article}
%\globaldefs1
\begin{document}
\section{Test}
\end{document}
It changes the way definitions work in LaTeX fundamentally. Definitions become global by default. That is, it undermines the way LaTeX works: groups are no longer efficient. As a consequence, everything goes berserk. Of course, if you really know what you are doing, you can use it. Ironically, you may only use it locally.
Of course, as every cat knows, \catcode
can also be used to do maximal damage. It can be used in sneaky ways, which must be the reason why it is called cat code .