Vulnerability in Less.js Causes Website to Leak AWS Secret Keys

 

Cybersecurity researchers at Canadian firm Software Secured identified a critical flaw in Less.js, a widely used preprocessor language. According to the report published by the firm, the vulnerability could be exploited by threat actors to achieve remote code execution attacks.

Researchers report that Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites. In addition, the Less.js library supports plugins from remote sources using the @plugin syntax; these plugins must be written in JavaScript and will run when the Less code is interpreted.

Attackers can abuse this feature for remote attack deployment: “If less code is processed on the client-side, an inter-site scripting (XSS) attack could result, although its server-side execution can lead to remote code execution (RCE). All versions of Less with support for @plugin syntax are vulnerable to these scenarios. Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites,” says the report published by the firm Software Secured.

The report includes a proof of concept (PoC) and a real-world scenario exploitation demonstration in CodePen.io, a website for creating Less.js code snippets. The operators of this website were notified about this and a solution has already been developed to address this flaw. 

“The vulnerability requires certain conditions to be successful. An example vulnerable scenario might be a feature that accepts custom styling via Less code from a user. Once in a vulnerable configuration, it is straightforward to exploit the application. Buis said as far as he knows, Less has not patched the bug. The backtick behavior has been known for a while and there is configuration to mitigate in recent versions,” Jeremy Buis, writer of the blog post told The Daily Swig. 

“The plugin and @import (inline) behaviour hasn’t been written about before as far as we can tell. We reached out to the maintainers over a year ago where the bugs were acknowledged. Buis advised Less.js users to mitigate the risks by considering the following. Instead of Less code, allow regular CSS use instead. If Less support is required, then transpile the Less code on the client-side to avoid the threat of SSRF and RCE attacks,” Buis added.