‘Less’ means more to malware authors targeting Linux usersNovember 24, 2014 – 5:40 PM
Using the “less” Linux command to view the contents of files downloaded from the Internet is a dangerous operation that can lead to remote code execution, according to a security researcher.
At first glance, less appears to be a harmless command that outputs a file’s content to a terminal window and allows the users to navigate forward and backward through it. Less does not allow file editing, which is a job for file editors like the widely used vi, but has the benefit of displaying data on the fly without needing to load an entire file into memory. This is useful when dealing with large files.
Less is frequently used to view text files, but on many Linux distributions, including Ubuntu and CentOS, it supports many more file types including archives, images and PDF. That’s because, on these systems, less is extended through a script called lesspipe that relies on different third-party tools to process files with various extensions.
The third-party tools that lesspipe, and therefore less, rely on have not been designed with malicious input in mind, said Google security engineer Michal Zalewski in a message Sunday to the Full Disclosure security mailing list.
When Zalewski ran a fuzzing program — a vulnerability testing tool that feeds malformed input to applications — against the cpio file archiving utility, one of the programs supported by lesspipe, it quickly identified a memory bug that can lead to arbitrary code execution.
“While it’s a single bug in cpio, I have no doubt that many of the other lesspipe programs are equally problematic or worse,” the researcher said.