---

Introduction

In December 2022, security researchers disclosed CVE-2022-46663, a vulnerability in the GNU Less pager (a common tool found on most Unix/Linux systems). This bug happens because versions before 609 of less do not properly filter ANSI escape sequences when using the -R (or --RAW-CONTROL-CHARS) option. With specially crafted input, this loophole lets an attacker push dangerous (or just annoying) terminal codes to whoever views the data with less -R.

This article breaks down how the bug works, why it’s a problem, and how you might demonstrate or test it on your own system (plus tips on defense). Links to original references are included at the end.

What’s GNU Less and What’s ‘-R’?

less is a command-line utility for viewing text files page by page. The -R option lets less display "raw" control characters—specifically some ANSI escape codes used for colors and text formatting. However, the idea is to let through only "safe" codes like colors, but *not* more complex or dangerous sequences, like those that move your cursor around, clear the screen, or even rewrite your shell prompt.

The CVE-2022-46663 Bug

Before version 609, the filter in less -R was not strict enough. An attacker could sneak in malicious ANSI escape sequences—beyond just color codes—knowing less would not filter these out. If you viewed a file, log, or data stream with these sequences, they’d execute in your terminal. Impact can range from pranks (changing your prompt or screen colors) to outright mischief (spoofing, tricking you into running commands, or exposing sensitive info via clipboard tricks).

Exploit Details & Code Example

Here’s a minimal demo to show how the bug works. Imagine an attacker sends you a file containing the following:

echo -e "Hello. \0332J\033[H\033[31mBye!\033[m" > evil.txt

\033[m — *resets formatting*

Normally, less (no options) would try to hide all escape sequences. With less -R (before v609), running:

less -R evil.txt ...actually clears your terminal screen, moves your prompt, and prints ‘Bye!’ in red.

With this, attackers can inject far sneakier sequences (like OS command triggers or clipboard overwrite via OSC52).

Real-World Attack Scenario

Say you’re investigating logs e-mailed by a colleague (or a server) and use less -R. If the logs are maliciously crafted, your terminal could be manipulated: prompt changed, commands invisibly entered, history erased, etc.

Mitigation & Fixes

- Upgrade Less: Version 609 and later patches this by only allowing safe color codes through -R. Download the latest from [greenwoodsoftware.com or update via your package manager:

`

- Don’t Trust Colors: Don’t use less -R on untrusted data files (or streams) — stick to less (without -R) if you’re not sure.
- Inspect Suspicious Files: You can examine the raw escape codes in suspicious files using cat -v evil.txt or od -c evil.txt before viewing with less -R.

References and Further Reading

- Official CVE Entry at NVD
- Less Changelog
- Less Home Page

Conclusion

CVE-2022-46663 is a classic example of how seemingly harmless options in popular tools can become risky when input isn’t filtered enough. The fix? Keep tools updated, avoid risky flags on unknown content, and always be wary of escape sequences in your terminal. If you’re still using Less < v609, now’s the time to update!


*If you found this helpful, check the references above and always keep your terminal safe!*

Timeline

Published on: 02/07/2023 21:15:00 UTC
Last modified on: 02/16/2023 15:03:00 UTC