CVE-2022-46663: Analyzing the ANSI Escape Sequence Vulnerability in GNU Less Before 609
---
In this long-read post, we will analyze the vulnerability identified as CVE-2022-46663, which affects the GNU Less program versions before 609. In affected versions, the program fails to filter out ANSI escape sequences when the "less -R" command is used. This opens up a potential attack vector where crafted data can impact the terminal behavior. We will discuss the entire issue, including the problem and the risks, dive into the Less source code, provide links to original references, and explore the exploit details.
Background
---
GNU Less is a popular pager utility in Unix environments, allowing users to view the contents of a file one screen at a time. It provides various features, including the ability to scroll both forwards and backwards within files and support displaying non-printable characters, such as ANSI escape sequences which can control terminal behavior and appearance.
The problem starts with the "less -R" command, which instructs the Less pager to decode and display ANSI escape sequences (color and similar terminal control codes). However, due to a bug in the source code, the program fails to filter out certain escape sequences properly, allowing them to be sent to the terminal, potentially allowing an attacker to craft malicious data that can have undesired effects on a user's terminal session.
The Vulnerability Details
---
The core of the issue lies within the decoding and filtering of raw data in the Less source code. When setting the 'R' flag (by passing the -R option), the 'pr_decode' function should correctly sanitize the user data, removing any harmful ANSI escape sequences. However, an oversight in this function allows specific escape sequences to pass through without proper sanitization.
Below is a snippet of the vulnerable 'pr_decode' function
/* decode.c */
...
static int
pr_decode(void)
{
int c;
while ((c = ch_forw_get()) != EOI)
{
if (setjmp(decode_env) == )
pr_putchar(c);
}
return ();
}
...
The above code incorrectly allows specific escape sequences to pass through without proper sanitization resulting in the vulnerability. The original reference to the issue can be found at the following link:
- GNU Less Issue: https://lists.gnu.org/archive/html/bug-gnu-utils/2022-02/msg00000.html
A fixed version of the 'pr_decode' function is provided in version 609 or later. It is highly recommended to update GNU Less to a newer version if you are using a version impacted by this vulnerability.
Exploit Scenarios
---
One possible exploit scenario is an attacker crafting malicious data within a viewed file, such as an archive, log, or any other format that a user might open with the Less pager. This data could include ANSI escape sequences designed to cause undesired terminal effects. For example, an attacker could craft an escape sequence that:
Here's an example of a maliciously crafted file
echo -e "Harmless content\n\x1b]2;Malicious Terminal Title\x07\nMore harmless content" > malicious_file.txt
When viewing this file with the "less -R" command in a vulnerable version of GNU Less, the user's terminal title will be changed to "Malicious Terminal Title."
Mitigation
---
The only effective mitigation for CVE-2022-46663 is to update the GNU Less program to version 609 or later, where the vulnerability has been fixed.
Conclusion
---
CVE-2022-46663 reminds us of the importance of keeping software up-to-date and the need for vigilance when dealing with potentially malicious data files. By understanding and raising awareness about this vulnerability, we hope that users can take the necessary actions to patch their systems, preventing potential exploits from causing harm or compromising their terminals.
Timeline
Published on: 02/07/2023 21:15:00 UTC
Last modified on: 02/16/2023 15:03:00 UTC