Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Less' means more to malware authors targeting Linux users

Lucian Constantin | Nov. 25, 2014
Running the 'less' Linux command on files downloaded from the Internet is dangerous, a researcher says.

Many users would likely never run less on files with some of the more obscure extensions, but "ultimately, I think that there's an expectation that running less on a downloaded file won't lead to RCE [remote code execution], and the lesspipe behavior in many distros is almost certainly violating that," Zalewski said.

Running fuzz testing against all the tools used by lesspipe to identify as many vulnerabilities as possible and reporting those flaws to the relevant developers would take considerable effort. Some of the tools are quite old and their developers might be slow to react, if at all.

For the moment, users can protect themselves by removing the LESSOPEN and LESSCLOSE environment variables if they are set on their Linux systems, Zalewski said. These variables automatically call lesspipe when less is run for files with supported extensions.

It appears that there's a growing trend of finding vulnerabilities in Linux command-line utilities, which started with the Shellshock flaws found in September in the Bash Unix shell itself.

Last month, Zalewski found a remote code execution vulnerability in a library used by command-line tools like strings, objdump and readelf. A few days later, similar flaws were announced and patched in the popular wget and tnftp command-line programs.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.