Security Advisories

Privilege escalation through low-trust scripts

TinyPilot Security Advisory #004

Published: February 29, 2024

Overview

Versions of TinyPilot Pro before 2.6.3 and TinyPilot Community before 1.9.3 suffer from a vulnerability that weakens the security boundary between low-trust web server code and high-trust privileged processes.

What is the severity?

Low.

Who is affected?

All users running TinyPilot Pro 2.6.2 or older, and all users running TinyPilot Community 1.9.2 or older.

You can check which version of TinyPilot Pro your device runs by opening the TinyPilot web interface, navigating to the "Help" menu, and then clicking "About."

What is the impact?

There is no known practical impact of this vulnerability.

This vulnerability would have an impact if an attacker discovered a separate vulnerability that granted them the ability to execute code on the TinyPilot device. Given a separate vulnerability, an attacker could exploit this privilege escalation vulnerability to gain more complete control over the TinyPilot device.

What can customers do?

Update to TinyPilot Pro 2.6.3 or TinyPilot Community 1.9.3.

How is TinyPilot addressing this issue?

First, we identified all instances where TinyPilot's high-trust processes execute any low-trust web server code. We fixed those instances to ensure that the high-trust processes run the low-trust code with only limited permissions.

Next, we have added checks for excessive privileges to TinyPilot's low-trust web application code. These checks will allow us to catch, during our development phases, any instances where high-trust processes execute low-trust web application code with excessive permissions.

Additionally, we have added checks in our continuous integration configuration to ensure that all low-trust code explicitly checks for excessive permissions. This limits the probability that we accidentally reintroduce a vulnerability of this class in the future.

What are the technical details of the vulnerability?

The TinyPilot web server runs under a dedicated Linux user account named tinypilot. The tinypilot user account has limited privileges so that if an attacker compromises the TinyPilot web application, the operating system limits the potential damage.

TinyPilot performs some actions that require root permissions. We isolate these actions into dedicated scripts that users can't access directly through the TinyPilot web interface.

In investigating this vulnerability, we discovered that some of TinyPilot's privileged scripts executed files that the limited tinypilot user account owned. Therefore, an attacker with control of the tinypilot user account could modify files that privileged scripts execute. This would give the attacker the ability to elevate their privilege from the limited tinypilot account to the privileged root account.

We fixed this vulnerability by ensuring that in any code location where a privileged script executes a file owned by tinypilot, it executes the file using only the permissions of the tinypilot user account.

Questions

If you have any questions or concerns about this issue, please contact our support team:

Written by Dave Brown, TinyPilot Support Engineer