The “less” command which allows you to see the files content downloaded from the Internet in Linux may appear to be quite a dangerous feature according to security specialists.
What Is Lesspipe
The feature looks harmless at first sight, allowing users to open the file in a terminal window and scroll back and forth through its content. The feature is not useful to file redactors, as it does not allow users to manipulate the file, but has an advantage in showing the file content without taking up memory recourses which can be very useful for big files.
It is usually used for text files viewing but many Linux distributions, like Ubuntu and CentOS for example, support much more types like archive, image and PDF ones. This is enabled by a script code, called lesspipe, which relies on third-party applications.
Vulnerabilities
Although the tool was not designed with malicious intentions in mind, test performed by a Google security engineer – Michal Zalewski showed that the system is subject to vulnerabilities if a wrong script code is input in the program.
This may lead to memory bugs and the program performance may result in arbitrary code execution. Although the bug has appeared in a single request in the CPIO file archiving program, the researchers think that such may appear in other programs as well.
“While it’s a single bug in cpio, I have no doubt that many of the other lesspipe programs are equally problematic or worse. In a thread yesterday, people immediately started pointing out other issues”, Zalewski wrote in a post on the subject.
After sharing his suspicions with the wide public, other users start commenting on the same findings as well. The tools which can be used to detect vulnerabilities are quite weak and slow though and may take a lot of time to perform testing. This will require a lot of efforts from developers as well.
“At this point, my best advice would be for users to unset LESSOPEN and LESSCLOSE if set by their distros.”, said Zalewski.
It seems looking for vulnerabilities in open-source systems is gaining speed at the moment. The beginning was probably researchers’ findings on the Bash Unix shell from this September. Last month Zalewski found another vulnerability by executing a remote code in the library used by objdump and readelf. Several days later such were found in the command programs Wget and tnftp.
Here’s what lesspipe supports in Linux Ubuntu and what you should be alert about if you’re using the tool: *.arj, *.bin, *.bz, *.bz2, *.deb, *.doc, *.dz, *.gif, *.gz, *.iso, *.jar, *.jpeg, *.jpg, *.lha, *.lzh, *.PCD, *.PDF, *.png, *.rar, *.raw, *.rpm, *.tar, *.tar.bz2, *.tar.dz, *.tar.gz, *.tar.Z, *.tga, *.tgz, *.tif, *.tiff, *.udeb, *.war, *.xpi, *.Z, *.zoo.
