Can You Accept LaTeX Files from Strangers? Ten Years Later

by   Guilhem Lacombe, et al.

It is well-known that Microsoft Word/Excel compatible documents or PDF files can contain malicious content. LaTeX files are unfortunately no exception either. LaTeX users often include third-party codes through sources or packages (.sty or .cls files). But those packages can execute malicious commands on the users' system, in order to capture sensitive information or to perform denial of service attacks. Checkoway et al. [3] were the first to warn LaTeX users of these threats. Collaborative cloud-based LaTeX editors and services compiling LaTeX sources are particularly concerned. In this paper, we have created a LaTeX package that collects system data and hides them inside the PDF file produced by the target. Then, we have measured what can be recovered by hackers using malicious LaTeX file on online services, and which measures those services have enforced to thwart the threats. Services defend themselves using sandbox or commands restrictions. Commands restrictions are more difficult to setup and we found one service (PMLatex) which is too permissive.


page 1

page 2

page 3

page 4


Robust PDF Files Forensics Using Coding Style

Identifying how a file has been created is often interesting in security...

CapExec: Towards Transparently-Sandboxed Services (Extended Version)

Network services are among the riskiest programs executed by production ...

Helm – What It Can Do and Where Is It Going?

Deploying an application into a Kubernetes cluster requires sending a ma...

Exploitation and Sanitization of Hidden Data in PDF Files

Organizations publish and share more and more electronic documents like ...

Static analysis of executable files by machine learning methods

The paper describes how to detect malicious executable files based on st...

Detecting malicious PDF using CNN

Malicious PDF files represent one of the biggest threats to computer sec...

Cloud-Based Content Cooperation System to Assist Collaborative Learning Environment

Online educational systems running on smart devices have the advantage o...