Menu
'Less' means more to malware authors targeting Linux users

'Less' means more to malware authors targeting Linux users

Running the 'less' Linux command on files downloaded from the Internet is dangerous, a researcher said

Using the "less" Linux command to view the contents of files downloaded from the Internet is a dangerous operation that can lead to remote code execution, according to a security researcher.

At first glance, less appears to be a harmless command that outputs a file's content to a terminal window and allows the users to navigate forward and backward through it. Less does not allow file editing, which is a job for file editors like the widely used vi, but has the benefit of displaying data on the fly without needing to load an entire file into memory. This is useful when dealing with large files.

Less is frequently used to view text files, but on many Linux distributions, including Ubuntu and CentOS, it supports many more file types including archives, images and PDF. That's because, on these systems, less is extended through a script called lesspipe that relies on different third-party tools to process files with various extensions.

The third-party tools that lesspipe, and therefore less, rely on have not been designed with malicious input in mind, said Google security engineer Michal Zalewski in a message Sunday to the Full Disclosure security mailing list.

When Zalewski ran a fuzzing program -- a vulnerability testing tool that feeds malformed input to applications -- against the cpio file archiving utility, one of the programs supported by lesspipe, it quickly identified a memory bug that can lead to arbitrary code execution.

"While it's a single bug in cpio, I have no doubt that many of the other lesspipe programs are equally problematic or worse," the researcher said.

According to the Ubuntu manual, lesspipe has support for files with the following extensions: *.arj, *.tar.bz2, *.bz, *.bz2, *.deb, *.udeb, *.doc, *.gif, *.jpeg, *.jpg, *.pcd, *.png, *.tga, *.tiff, *.tif, *.iso, *.raw, *.bin, *.lha, *.lzh, *.pdf, *.rar, *.r[0-9][0-9], *.rpm, *.tar.gz, *.tgz, *.tar.z, *.tar.dz, *.gz, *.z, *.dz, *.tar, *.jar, *.war, *.xpi, *.zip and *.zoo.

"On CentOS, lesspipe appears to include things such as groff + troff + grotty, man, and cpio," Zalewski said. "On Ubuntu, there's isoinfo (?!), ar from binutils, and so on. Ancient and obscure compression utilities and doc converters crop up, too."

After Zalewski shared his findings on a mailing list called Open Source Security, other people started pointing out similar issues in other lesspipe tools and in less itself.

"I agree to both of you and to me it is an important issue," one user named Bernhard Hermann replied to Zalewski and another researcher's posts. "I don't want to be infected with malware while checking whether a file is malware or my distro [Linux distribution] doing something in the background that I'm not even aware of."

Many users would likely never run less on files with some of the more obscure extensions, but "ultimately, I think that there's an expectation that running less on a downloaded file won't lead to RCE [remote code execution], and the lesspipe behavior in many distros is almost certainly violating that," Zalewski said.

Running fuzz testing against all the tools used by lesspipe to identify as many vulnerabilities as possible and reporting those flaws to the relevant developers would take considerable effort. Some of the tools are quite old and their developers might be slow to react, if at all.

For the moment, users can protect themselves by removing the LESSOPEN and LESSCLOSE environment variables if they are set on their Linux systems, Zalewski said. These variables automatically call lesspipe when less is run for files with supported extensions.

It appears that there's a growing trend of finding vulnerabilities in Linux command-line utilities, which started with the Shellshock flaws found in September in the Bash Unix shell itself.

Last month, Zalewski found a remote code execution vulnerability in a library used by command-line tools like strings, objdump and readelf. A few days later, similar flaws were announced and patched in the popular wget and tnftp command-line programs.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags GooglesecurityExploits / vulnerabilitiesmalware

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments