You are here: Home » NewsFeeds » Pwning coworkers thanks to LaTeX

Pwning coworkers thanks to LaTeX

28 Nov 2016
Writing reports in LaTeX is painful. However, it’s a great occasion to bring joy
to the office and pwn a coworker’s laptop while he’s kindly proofreading your
pentest report.

A few techniques allow the
execution of commands
during the conversion of a .tex file to a PDF with pdflatex. It’s
documented, and the following TeX primitives send commands to the shell:
immediatewrite18{bibtex8 –wolfgang jobname}
input{|bibtex8 –wolfgang jobname}

On Ubuntu 16.04, /usr/share/texmf/web2c/texmf.cnf configuration file controls
the behavior of pdflatex (texlive-base package). Here’s an extract:
% Enable system commands via write18{…}. When enabled fully (set to
% t), obviously insecure. When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed. Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% No spaces in this command list.
% The programs listed here are as safe as any we know: they either do
% not write


Original article