Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Less is, umm, less? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Less is, umm, less?

Following vulnerabilities discovered in tools many Linux and Information Security enthusiasts use such as the 'strings' command and the bash shell, a new series of issues have been discovered in the 'less' command. Less is used to paginate output, and can be used to view the text contents of a file one page at a time. It can also receive data from a pipe. Examples: 'less myfile.txt' and 'xxd mybinfile | less'. One of the most attractive features of less is that you can move forwards and backwards through the output. It would not be unusual to use less to view files downloaded from the Internet for example. The problem is that less on some versions of Linux run a lesspipe script that invokes other utilities to actually view the contents of the files. Many of these should not be used to view files from an untrusted source. So local arbitrary code execution is possible if less is run on a malformed file. Back to using more?

References:
http://seclists.org/fulldisclosure/2014/Nov/74
http://linuxcommand.org/man_pages/less1.html

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

 

 

Adrien de Beaupre

346 Posts
ISC Handler
Look at your /usr/bin/lesspipe.sh file. There aren't that many utilities that are used.

There are also safer ways to invoke less, such as always pipe from stdin.

cat untrustedfile | less

Since the lesspipe.sh script the LESSOPEN variable is set to by default uses the filename to decide if to run something else, always make sure the untrusted file has a 'safe' filename and ends with something like .txt

and not something like .man.gz or .cpio


For most of the file formats that lessopen supports such as .tar, .gz, .zip, .rpm, .jpeg, .gif; it's kind of a big deal if there's a vulnerability just running those basic commands that lessopen uses.
Mysid

146 Posts Posts
lesspipe annoys the heck out of me most of the time.

You can also do this in your .profile or .bash_profile to dumb it back down:

unset LESSOPEN

less will warn you if it's a non-text file.

Switching back to more because of lesspipe is an overreaction.
John Hardin

62 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!