TinyZero Command Injection Vulnerability in HDFS File Operations Allowing Remote Code Execution

A critical command injection vulnerability has been identified in the TinyZero project, specifically in its HDFS file operation utilities. This vulnerability, classified under CWE-78, arises from the unsafe construction and execution of shell commands using os.system() without proper input sanitization or escaping. User-controlled input, such as file paths, is directly interpolated into shell command strings via f-strings in the _copy() function. An attacker can exploit this by supplying a specially crafted path parameter through the Hydra configuration framework, leading to arbitrary OS command execution and remote code execution with the privileges of the user running the TinyZero training process.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution, resulting in remote code execution on the system where TinyZero is being run, with the privileges of the user executing the TinyZero training process.

Reproduction

To reproduce this vulnerability, first, ensure that TinyZero is installed and set up correctly. Then, through the Hydra configuration framework, provide a crafted path parameter that includes the desired OS commands to be executed. The _copy() function will interpolate this input into a shell command, which will be executed by the os.system() function, leading to command injection.