CVE-2024-32487

Vulnerability

In less versions up to and including 653, the shell_quoten() function in filename.c mishandles newline characters when constructing the command line for the input preprocessor. Specifically, it does not quote or escape newline (\n) in file names, allowing an attacker to inject arbitrary OS commands. The vulnerability is reachable when the LESSOPEN environment variable is set, which is often enabled by default via packaging scripts (e.g., zless, xzless, or ~/.bashrc on Ubuntu) [1].

Exploitation

An attacker can exploit this by creating a file whose name contains a newline character followed by shell commands. For example, the file '$(touch /tmp/pwned)' can be crafted with a newline in the name. When less (or a wrapper like zless) is invoked on such a file, the command constructed by the input preprocessor includes the newline, causing execution of the injected commands. No authentication or special privileges are required beyond the ability to place such a file in a location where a victim will use less on it [1].

Impact

Successful exploitation allows arbitrary OS command execution with the privileges of the user running less. This can lead to full compromise of the user's session, data exfiltration, or further system compromise. The impact is considered critical due to the common default setting of LESSOPEN [1][4].

Mitigation

A fix has been implemented in commit 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 [4]. Users should upgrade to less version 654 or later. For versions like 643, backported patches are available [2]. As a workaround, users can unset LESSOPEN or avoid using less on files from untrusted sources. The issue has been assigned CVE-2024-32487 [3].