CVE-2022-48624 Overview
CVE-2022-48624 is a command injection vulnerability in the close_altfile function within filename.c in the less file pager utility. Versions before 606 fail to properly invoke shell_quote calls for the LESSCLOSE environment variable handler, allowing attackers to inject arbitrary shell commands through specially crafted filenames.
Critical Impact
Local attackers with low privileges can achieve arbitrary command execution with the permissions of the user running less, potentially leading to complete system compromise through malicious filename manipulation.
Affected Products
- Greenwoodsoftware less versions prior to 606
- Linux distributions shipping vulnerable less versions
- Systems with LESSCLOSE environment variable configured
Discovery Timeline
- 2024-02-19 - CVE CVE-2022-48624 published to NVD
- 2025-03-27 - Last updated in NVD database
Technical Details for CVE-2022-48624
Vulnerability Analysis
This vulnerability exists because the close_altfile function in filename.c processes filenames without proper shell quoting when invoking the LESSCLOSE handler. The LESSCLOSE environment variable is designed to allow users to specify a command that runs after less closes a file, typically used for cleanup operations with input preprocessors. When filenames containing shell metacharacters are passed to this handler without sanitization, the shell interprets these characters, enabling command injection.
The attack requires local access and the ability to create or control filenames that will be viewed using less. When a user opens a maliciously crafted filename with less, the unquoted filename is passed directly to the shell through the LESSCLOSE mechanism, allowing embedded shell commands to execute with the user's privileges.
Root Cause
The root cause is a missing call to the shell_quote function when constructing the command string for LESSCLOSE execution. The less utility provides a shell_quote function specifically designed to escape shell metacharacters in strings that will be passed to shell execution. However, the close_altfile function in versions prior to 606 failed to apply this quoting to both the filename and alternate filename parameters, creating an injection vector.
Attack Vector
An attacker can exploit this vulnerability by creating a file with a malicious filename containing shell metacharacters and command sequences. When a victim uses less to view this file (or any file in the same directory depending on shell expansion), and LESSCLOSE is configured, the embedded commands execute upon file closure. This is a local attack vector requiring the attacker to either place malicious files on the system or trick a user into viewing attacker-controlled filenames.
// Security patch in filename.c - Shell-quote filenames when invoking LESSCLOSE
// Source: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144
{
#if HAVE_POPEN
char *lessclose;
+ char *qfilename;
+ char *qaltfilename;
FILE *fd;
char *cmd;
int len;
The patch introduces qfilename and qaltfilename variables to store the shell-quoted versions of the filename parameters before they are used in command construction.
Detection Methods for CVE-2022-48624
Indicators of Compromise
- Presence of files with unusual shell metacharacters in filenames (e.g., $(command), backticks, semicolons)
- Unexpected process executions spawned as children of less processes
- LESSCLOSE environment variable set to suspicious or unexpected values
- Audit logs showing command execution originating from less with unexpected arguments
Detection Strategies
- Monitor for child process creation from less processes that don't match expected LESSCLOSE behavior
- Implement file integrity monitoring on directories where users commonly browse files
- Use endpoint detection to flag suspicious filename patterns containing shell injection characters
- Review and audit LESSCLOSE environment variable configurations across systems
Monitoring Recommendations
- Enable process auditing to track command execution chains involving the less utility
- Configure SentinelOne behavioral AI to detect anomalous process trees originating from file viewing utilities
- Monitor for creation of files with shell metacharacters in commonly accessed directories
- Implement alerts for unexpected network connections or file system modifications from less processes
How to Mitigate CVE-2022-48624
Immediate Actions Required
- Upgrade less to version 606 or later immediately
- Audit systems for configured LESSCLOSE environment variables
- Consider temporarily unsetting LESSCLOSE on critical systems until patching is complete
- Review recent file access logs for suspicious filename patterns
Patch Information
The vulnerability was fixed in less version 606. The security commit introduces proper shell quoting for filenames passed to the LESSCLOSE handler. A version comparison between v605 and v606 shows the complete changes.
Distribution-specific patches are available:
Workarounds
- Unset the LESSCLOSE environment variable to disable the vulnerable functionality: unset LESSCLOSE
- Use alternative file viewing utilities such as cat, more, or view until patching
- Implement strict filename validation in environments where users may encounter untrusted files
- Configure file system permissions to prevent creation of files with shell metacharacters in shared directories
# Configuration example - Disable LESSCLOSE to mitigate vulnerability
# Add to /etc/profile or user's shell configuration
# Unset LESSCLOSE to prevent command injection
unset LESSCLOSE
# Alternatively, verify less version is patched
less --version | head -1
# Ensure version is 606 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
