When Less Isn’t More: A Deep Dive into Exploiting the Less.js RCE
AppSec Engineers, Mat Rollings and Will Roberts, explore an RCE vulnerability in Less.js.
A remote code execution (RCE) vulnerability was discovered in multiple applications using the Less.js CSS preprocessor. When a service transpiles (compiles from one language to another) user-controlled Less.js files to CSS files, it is possible to achieve remote code execution by using Less.js plugins. This vulnerability affected CodePen, allowing researchers to leak AWS credentials and execute arbitrary code inside their Lambdas.
What are CSS preprocessors?
CSS preprocessors aim to simplify the creation of CSS files by using plugins and directives that are executed to generate the final CSS files. They are typically used by developers or build servers to generate the final CSS files for web applications. However, some sites and services take user-generated CSS preprocessor files and transpile them server-side to create and render CSS.
Less.js is one of the most popular CSS preprocessors, with over 14 million downloads per month and 1.4 million dependent repositories on GitHub. It is a superset of CSS that provides many more features to assist with writing CSS, such as custom variables, mixins, nesting, functions, and scoping.
Screenshot showing remote code execution on a web application by submitting malicious CSS.
This isn’t the first time Less.js has had issues with remote code execution. Previously, commands could be executed via the use of backticks; however, these were removed in version 3 as it was trivial for attackers to abuse them.
In addition, due to the open-source nature of Github as a platform and its dependency graph, it is easy to identify other tools and products that may be vulnerable to this kind of exploitation.
Screenshot showing an example Less.js CSS running on CodePen.
As a result of this vulnerability, the researchers could leak the AWS secret keys used by CodePen and run arbitrary commands inside their Lambdas. This could have resulted in further compromise or an attacker using large amounts of resources at CodePen’s expense.
It’s a feature, not a bug
As frustrating as it can be, some vulnerabilities are caused by features rather than bugs and, as such, are unlikely to be fixed. At the time of writing this, there is no way to disable remote plugins when using Less.js. This means that the security of an application using Less.js is dependent on the specific use case.
Where user-controlled CSS preprocessor files are used, they should first be sanitized to remove any unexpected plugins using an ‘allow-listing’ technique. You should also test these lists and any associated plugins and code to ensure that the filtering or sanitization in place cannot be bypassed.
So what now?
The vulnerability was quickly patched by CodePen following responsible disclosure. Even so, there are likely many more instances where Less.js is being used in a vulnerable configuration.