Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Less' means more to malware authors targeting Linux users

Lucian Constantin | Nov. 25, 2014
Running the 'less' Linux command on files downloaded from the Internet is dangerous, a researcher says.

linux attack

Using the "less" Linux command to view the contents of files downloaded from the Internet is a dangerous operation that can lead to remote code execution, according to a security researcher.

At first glance, less appears to be a harmless command that outputs a file's content to a terminal window and allows the users to navigate forward and backward through it. Less does not allow file editing, which is a job for file editors like the widely used vi, but has the benefit of displaying data on the fly without needing to load an entire file into memory. This is useful when dealing with large files.

Less is frequently used to view text files, but on many Linux distributions, including Ubuntu and CentOS, it supports many more file types including archives, images and PDF. That's because, on these systems, less is extended through a script called lesspipe that relies on different third-party tools to process files with various extensions.

The third-party tools that lesspipe, and therefore less, rely on have not been designed with malicious input in mind, said Google security engineer Michal Zalewski in a message Sunday to the Full Disclosure security mailing list.

When Zalewski ran a fuzzing program -- a vulnerability testing tool that feeds malformed input to applications -- against the cpio file archiving utility, one of the programs supported by lesspipe, it quickly identified a memory bug that can lead to arbitrary code execution.

"While it's a single bug in cpio, I have no doubt that many of the other lesspipe programs are equally problematic or worse," the researcher said.

According to the Ubuntu manual, lesspipe has support for files with the following extensions: *.arj, *.tar.bz2, *.bz, *.bz2, *.deb, *.udeb, *.doc, *.gif, *.jpeg, *.jpg, *.pcd, *.png, *.tga, *.tiff, *.tif, *.iso, *.raw, *.bin, *.lha, *.lzh, *.pdf, *.rar, *.r[0-9][0-9], *.rpm, *.tar.gz, *.tgz, *.tar.z, *, *.gz, *.z, *.dz, *.tar, *.jar, *.war, *.xpi, *.zip and *.zoo.

"On CentOS, lesspipe appears to include things such as groff + troff + grotty, man, and cpio," Zalewski said. "On Ubuntu, there's isoinfo (?!), ar from binutils, and so on. Ancient and obscure compression utilities and doc converters crop up, too."

After Zalewski shared his findings on a mailing list called Open Source Security, other people started pointing out similar issues in other lesspipe tools and in less itself.

"I agree to both of you and to me it is an important issue," one user named Bernhard Hermann replied to Zalewski and another researcher's posts. "I don't want to be infected with malware while checking whether a file is malware or my distro [Linux distribution] doing something in the background that I'm not even aware of."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.