Less is, umm, less?
Following vulnerabilities discovered in tools many Linux and Information Security enthusiasts use such as the 'strings' command and the bash shell, a new series of issues have been discovered in the 'less' command. Less is used to paginate output, and can be used to view the text contents of a file one page at a time. It can also receive data from a pipe. Examples: 'less myfile.txt' and 'xxd mybinfile | less'. One of the most attractive features of less is that you can move forwards and backwards through the output. It would not be unusual to use less to view files downloaded from the Internet for example. The problem is that less on some versions of Linux run a lesspipe script that invokes other utilities to actually view the contents of the files. Many of these should not be used to view files from an untrusted source. So local arbitrary code execution is possible if less is run on a malformed file. Back to using more?
References:
http://seclists.org/fulldisclosure/2014/Nov/74
http://linuxcommand.org/man_pages/less1.html
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments
There are also safer ways to invoke less, such as always pipe from stdin.
cat untrustedfile | less
Since the lesspipe.sh script the LESSOPEN variable is set to by default uses the filename to decide if to run something else, always make sure the untrusted file has a 'safe' filename and ends with something like .txt
and not something like .man.gz or .cpio
For most of the file formats that lessopen supports such as .tar, .gz, .zip, .rpm, .jpeg, .gif; it's kind of a big deal if there's a vulnerability just running those basic commands that lessopen uses.
Anonymous
Nov 26th 2014
9 years ago
You can also do this in your .profile or .bash_profile to dumb it back down:
unset LESSOPEN
less will warn you if it's a non-text file.
Switching back to more because of lesspipe is an overreaction.
Anonymous
Nov 26th 2014
9 years ago