13th July 2021, Kathmandu
A vulnerability in popular preprocessor language Less.js might be exploited to realize remote code execution (RCE) against websites that permit users to input Less.js code, researchers have alerted.
Less.js stands for Learner Style Sheets which is a JavaScript tool that is a backward-compatible language extension of CSS.
To valid CSS code, Less.js is transpiled and is employed to assist the writing of CSS for websites.
The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.
While performing a pentest for one of the Secured Software’s Penetration Testing as a Service (PaaS) clients, they found an application feature that allowed users to create visualizations which further enabled them to custom styling. Users were allowed to input valid Less code by one of the visualizations, which was transpiled on the client-side to CSS.
This seemed like it needed a closer look.
As per security perspectives, Less has some interesting features. The inclusion of JavaScript by default is allowed with the use of the backtick operators by Less before version 3.0.0
To valid CSS code, Less.js is transpired and is employed to assist the writing of CSS for websites. The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.
Plugins are the syntax written in JavaScript and when the Less code is interpreted, any included plugins will execute. It is this feature that may leave a user susceptible to remote attack, researchers from Canadian infosec firm Software Secured said.
“The two results counting on the context of the Less processor is caused by this,” they wrote. It results in cross-site scripting (XSS), if Less code is processed on the client-side – but processed on the server side it leads to RCE. Most of the Less Supporting the @plugins syntax are susceptible, the researchers added.
The blog posted by Software Secured contains a proof-of-concept and example of how the plugins have been exploited in the real world.
As the researchers studied at CodePen.io, a popular website for creating web code snippets that assisted standard languages plus Less.js. Here, they attempted their PoCs against the site and were up to “leak their AWS secret keys and run capricious commands in their AWS Lambdas”.
Then they reported the vulnerability to CodePen.io, which patched the bug.
Less. js is transcompiled into valid CSS code and wants to write CSS for websites. The Less. js library supports add-ins that can be included directly in Less code from a foreign, syntax, @plugin. All Add-ins were written in JavaScript run, once you interpret the Less code.
This feature can turn a user into remote attacks, researchers from Canadian company Infosec Software Secured detailed in a blog post.
“As we will be placing our judgment, the way of complementing and @import (online) has never been written before. We notified managers over a year ago where bugs were known.
Buis urged Less. js users to mitigate the dangers through the following: “Instead of less code, allow CSS to be used on a normal basis,” he said. “If Less is necessary, it transpires the Less client-side code to bypass the likelihood of SSRF and RCE attacks. “To reduce the likelihood of XSS, upgrade to the latest edition where JavaScript-based reverse quote execution is disabled by default and fork the Less library and take away the ‘@plugin’ syntax. “
