Serial Port JSON Server is a websocket server for your serial devices. It compiles to a binary for Windows, Mac, Linux, Raspberry Pi, or BeagleBone Black that lets you communicate with your serial port from a web application. This enables web apps to be written that can communicate with your local serial device such as an Arduino, CNC controller, or any device that communicates over the serial port.
This feature is SUPER dangerous and trivial to exploit. Depending on installation, the example linux startup script will cause it to start as root, and then its trivial for an attacker to gain control of the box. "Put it behind a firewall" is not enough. If the attacker gained network access, and then access to a low privilege account ( say guest or http on a computer ), they could then use CURL or even telnet or other tools to send commands to spjs on localhost and quickly gain root.
As more and more 3D printing software is used in research and other institutions, SPJS now becomes a trivial way to gain root on one box, and then it becomes easier to hack other boxes. Except for a minor note in the release notes, this feature is not readily apparent, nor is its HUGE security risk explained.
Also, when exec support is enabled, it should spew a warning into the logs as to how dangerous this is.
Really it should just be removed or something, or a way should be provided to provide a limited set of CUSTOM commands, via a config / whitelist file. Arbitrary command execution is a huge hole.
For my personal use, I will be forking this repo and removing this feature. Its a HUGE risk.
This feature is SUPER dangerous and trivial to exploit. Depending on installation, the example linux startup script will cause it to start as root, and then its trivial for an attacker to gain control of the box. "Put it behind a firewall" is not enough. If the attacker gained network access, and then access to a low privilege account ( say guest or http on a computer ), they could then use CURL or even telnet or other tools to send commands to spjs on localhost and quickly gain root.
As more and more 3D printing software is used in research and other institutions, SPJS now becomes a trivial way to gain root on one box, and then it becomes easier to hack other boxes. Except for a minor note in the release notes, this feature is not readily apparent, nor is its HUGE security risk explained.
Also, when exec support is enabled, it should spew a warning into the logs as to how dangerous this is.
Really it should just be removed or something, or a way should be provided to provide a limited set of CUSTOM commands, via a config / whitelist file. Arbitrary command execution is a huge hole.
For my personal use, I will be forking this repo and removing this feature. Its a HUGE risk.