Less is, umm, less?

Published: 2014-11-25
Last Updated: 2014-11-25 21:31:04 UTC
by Adrien de Beaupre (Version: 1)
2 comment(s)

Following vulnerabilities discovered in tools many Linux and Information Security enthusiasts use such as the 'strings' command and the bash shell, a new series of issues have been discovered in the 'less' command. Less is used to paginate output, and can be used to view the text contents of a file one page at a time. It can also receive data from a pipe. Examples: 'less myfile.txt' and 'xxd mybinfile | less'. One of the most attractive features of less is that you can move forwards and backwards through the output. It would not be unusual to use less to view files downloaded from the Internet for example. The problem is that less on some versions of Linux run a lesspipe script that invokes other utilities to actually view the contents of the files. Many of these should not be used to view files from an untrusted source. So local arbitrary code execution is possible if less is run on a malformed file. Back to using more?


Adrien de Beaupré
Intru-shun.ca Inc.




2 comment(s)


Look at your /usr/bin/lesspipe.sh file. There aren't that many utilities that are used.

There are also safer ways to invoke less, such as always pipe from stdin.

cat untrustedfile | less

Since the lesspipe.sh script the LESSOPEN variable is set to by default uses the filename to decide if to run something else, always make sure the untrusted file has a 'safe' filename and ends with something like .txt

and not something like .man.gz or .cpio

For most of the file formats that lessopen supports such as .tar, .gz, .zip, .rpm, .jpeg, .gif; it's kind of a big deal if there's a vulnerability just running those basic commands that lessopen uses.
lesspipe annoys the heck out of me most of the time.

You can also do this in your .profile or .bash_profile to dumb it back down:


less will warn you if it's a non-text file.

Switching back to more because of lesspipe is an overreaction.

Diary Archives