Remote Code Execution via ‘less’ on Linux Boxes

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, November 24, 2014

Follow me on Twitter as @mattiasgeniar

Mondays, gotta love’m.

Many Linux distributions ship with the ‘less’ command automagically

interfaced to ‘lesspipe’-type scripts, usually invoked via LESSOPEN.

This is certainly the case for CentOS and Ubuntu.

Unfortunately, many of these scripts appear to call a rather large

number of third-party tools that likely have not been designed with

malicious inputs in mind. On CentOS, lesspipe appears to include

things such as groff + troff + grotty, man, and cpio.

…where we end up allocating a zero-byte buffer and then promptly

writing out of bounds (just under the buffer on 32-bit systems or

somewhere above it on 64-bit).

Michal Zalewski, seclist.org

Buffer overflow, anyone? I wonder what the real-world impact of this is. I don’t use less at all (I’m a more user), neither at the CLI nor in scripts. But how can I be certain other scripts, like vendor-supplied ones, aren’t using this and potentially making me vulnerable? Unsetting the LESSOPEN and LESSCLOSE environment variables seems like they might actually break more than they fix.

Some more reading material can be found on the seclist.org post and on the HackerNews post.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.