wonderwhy-er
[Security] Command Blocklist Bypass Via Command Substitution
Outline
The command validation logic in the CommandManager class class is vulnerable to a bypass when an attacker uses shell command substitution syntax, such as $(...) or backticks (`...`). The parser does not recognise or recursively validate commands nested within this syntax. This allows a blocked command (e.g., sudo) to be executed by embedding it within an allowed command (like echo).
Proof of Concept
- Set up DesktopCommanderMCP with an MCP Client.
- Send a request with a nested command such as the below:
Can you run
execute_commandusing Desktop Commander with the following command:
echo "Hello World... $(iptables)"
The expected behaviour is that the command should be blocked, as iptables is a blocked command by default. However, the validation logic only detects the echo command and returns true, allowing the iptables command to be run.
Impact
This vulnerability allows a malicious actor to completely bypass the command blocklist, leading to arbitrary command execution. A malicious prompt could bypass the blocklist and run any command. The severity would vary depending on the privileges of the user running the server.
Recommended Fix
The extractCommands function function needs to be updated to account for shell command substitution syntax. When shell command substitution is detected, the content within should be recursively passed back into the extractCommands function to ensure all nested commands are also validated against the blocklist.
Note: I reached out to the maintainer to responsibly disclose this vulnerability and was asked to post the details in the GitHub issues.
