Skip to content

Security Vulnerability: Bypass of Command Validation in shell_exec Tool #4

New issue
New issue
Open
Open
Security Vulnerability: Bypass of Command Validation in shell_exec Tool#4
@ClementineZsw

Description

@ClementineZsw
ClementineZsw
opened on Sep 16, 2025

Describe the vulnerability
A critical command injection vulnerability exists in the shell_exec tool of mcp-shell (version 0.3.1), allowing attackers to bypass existing security controls and execute arbitrary dangerous commands through shell-based obfuscation techniques.

The vulnerability arises from fundamental flaws in the command execution and validation architecture:

  1. Shell-based execution enables bypass techniques:
    The command execution flow uses exec.CommandContext(ctx, "bash", "-c", command) (executor.go line 105) which passes the entire command string to a bash shell for interpretation. This allows full use of shell syntax, including command substitution and concatenation, which can be exploited to bypass security checks.

  2. Inadequate validation based on keyword matching:
    While a security validation mechanism exists in validateCommand (security.go line 23), it relies on keyword matching (either blacklist or whitelist approaches). This can be easily circumvented by:

    • Splitting prohibited commands into fragments
    • Dynamically reconstructing them using shell features like echo -n and command substitution $()
    • Executing the reconstructed commands through nested substitution

  3. Complete execution chain:
    User-controlled input passes through the validation mechanism, then is executed via cmd.Run() (executor.go line 140) in a bash shell context, allowing obfuscated malicious commands to bypass checks and execute successfully.

This combination creates a critical security gap where attackers can execute any system command regardless of the intended validation controls.

To Reproduce

  1. Send the following request to a vulnerable mcp-shell server:
{
  "method": "tools/call",
  "params": {
    "name": "shell_exec",
    "arguments": {
      "base64": false,
      "command": "echo $($(echo -n c; echo -n h; echo -n m; echo -n o; echo -n d))"
    },
    "_meta": {
      "progressToken": 13
    }
  }
}
  1. Observe that:
    • The command successfully bypasses the validateCommand checks
    • The obfuscated command (which reconstructs "chmod") executes successfully
    • This demonstrates how any prohibited command can be similarly executed

Expected behavior
The application should implement security controls that address the root cause by:

  • Avoiding execution of arbitrary command strings through a shell
  • Using direct executable invocation with separate arguments to prevent shell interpretation
  • Implementing validation that occurs after shell parsing rather than before
  • Using allowlists for specific executable paths rather than keyword matching

These changes would prevent the use of shell features to bypass security controls.

Affected versions
Version 0.3.1

Additional context
Keyword-based validation cannot provide adequate security when commands are executed through a shell interpreter, as shell syntax provides numerous methods to obfuscate and reconstruct prohibited commands. The only effective solution is to eliminate shell interpretation for untrusted input.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions