CVE-2022-44542 – Exploring the Remote Code Execution Vulnerability in Lesspipe before 2.06 via Perl Storable Files

CVE-2022-44542 presents a vulnerability in the popular utility lesspipe, which is often employed as the output processor for the 'less' command. When processing Perl Storable (pst) files, lesspipe can potentially execute arbitrary code, offering attackers room for exploitation. This vulnerability is present in lesspipe versions before 2.06, and it can be disastrous if left unaddressed.

In this article, we'll dive into the details of CVE-2022-44542, including a description of the affected code, references to the original researchers and their work, and a discussion of how this exploit works.

Problem Description

The issue stems from a piece within lesspipe that handles Perl Storable (pst) files. During the handling of these files, deserialized object destructor execution can be triggered via a key/value pair in a hash.

Here's a code snippet demonstrating this problem

#!/usr/bin/perl

use Storable qw( nfreeze );
use IO::Socket;

my $object = {};

my $code = 'system("id")'; # Arbitrary code

sub DESTROY {
    eval($code);
}

bless($object, main::);

my $frozen = nfreeze($object);

print $frozen;


With this code in place, an attacker could potentially force arbitrary code execution by crafting a malicious Perl Storable file.

Acknowledgements and References

Credit for the discovery of this vulnerability goes to the user 'taviso' on GitHub, who reported it through the following issue on lesspipe's GitHub repository:

- https://github.com/wofr06/lesspipe/issues/13

Taviso's report includes more information about his findings. The official Git commit addressing this vulnerability can be found here:

- https://github.com/wofr06/lesspipe/commit/50af217620efd495fcbc8df63e8541bf27d66578

CVE Details page for this vulnerability can be accessed here

- https://www.cvedetails.com/cve/CVE-2022-44542/

How the Exploit Works

The exploit takes advantage of deserialized object destructor execution via a key/value pair in a hash, potentially causing the arbitrary code to run.

An attacker crafts a malicious Perl Storable file containing the desired code to execute.

2. The attacker sends this file to the target system. The victim may receive it as an email attachment, through instant messaging, or via another file-sharing method.

The victim opens the file using the 'less' command.

4. The 'less' command calls lesspipe as the output processor, which then parses the malicious Perl Storable file.
5. During the parsing process, a function (such as DESTROY in the code snippet above) is called, which triggers the execution of the code, resulting in the arbitrary code execution.

Conclusion

CVE-2022-44542 is a critical vulnerability in lesspipe that allows remote code execution when processing Perl Storable files. To mitigate the risk of this exploit, users must update to lesspipe 2.06 or newer versions.

In this article, we presented an overview of the vulnerability, showcased a code snippet demonstrating the problem, and provided links to the initial reports made by the discoverer. It's vital to understand the implications of this vulnerability and take the appropriate steps to remediate it, ensuring that systems remain secure from potential exploitation.

Timeline

Published on: 11/01/2022 01:15:00 UTC
Last modified on: 12/22/2022 20:37:00 UTC