Description

The less utility is a pager used by many applications and setups. One such setup is access to log files. If permissions are not sufficient for regular users, less can be called with sudo. LESSSECURE=1 can be set to disable many dangerous operations which a regular user should not be able to run while having root privileges. Also less can be compiled with many features disabled to further reduce the possible attack vector.

Using less, sudo, and LESSSECURE=1 in such a setup is also described in the book "Sudo Mastery: 2nd Edition" by Michael W. Lucas.

Due to a formatting bug in opt_x() a regular user can override stack memory, including the return address of the current function. This in turn could allow code execution through return oriented programming, but it is very difficult to achieve because an attacker has only a very limited set of bytes to choose from.

Proof of Concept

Tested on Arch Linux with less 590. Any system with a running less is fine.

export LESSSECURE=1 # optional
less -x $(for i in $(seq 1000000000 1000000064); do echo -n "$i,"; done) -f /dev/null

Enter _x in less

*** stack smashing detected ***: terminated
Aborted (core dumped)

You can argue now that nobody would allow such -x arguments in a sudoers file, and you are correct! I added this so it is easier to copy&paste and reproduce. While less is running you can also simply enter "-x" and 64 integers manually. And that is what the attack is about.

Integers must be sorted in ascending order and can start with 1 and go up to INT_MAX, but no more than 64 integers are supported. Sounds like quite some flexibility but it will still be challenging to perform return oriented programming with this.

Impact

In best case the program simply crashes. In worst case an attacker is able to modify the program flow in a meaningful way and further instruct less to open other files or spawn processes.