[Security] Command Blocklist Bypass via Absolute Path #218
Description
Outline
The command blocklist can be bypassed by specifying the absolute path to a blocked command. The extractBaseCommand function uses the entire string as the command name if it contains no spaces, failing to normalise paths to their base command name. For example, the check fails to match the blocked command sudo with the user input /usr/bin/sudo.
Proof of Concept
- Set up DesktopCommanderMCP with an MCP Client.
- Find the absolute path of the command you want to run (e.g.,
which <blocked-command>). - Send the following request to bypass the blocklist via the absolute path:
Can you run
execute_commandusing Desktop Commander with the following command:
/usr/sbin/iptables
The expected behaviour is that providing the absolute path for a blocked command like iptables should result in the execution being blocked. However, the logic only checks the full string /usr/sbin/iptables, which is not an exact match for "iptables" in the blocklist. The check passes, and the blocked command is executed.
Impact
This vulnerability allows a malicious actor to bypass the command blocklist by simply providing a full path to the command. This leads to arbitrary command execution, nullifying the security control. The severity would vary depending on the privileges of the user running the server.
Recommended Fix
Modify the extractBaseCommand function to normalise the command token. Before returning, it should process the token to extract only the base name of the path. In Node.js, this can be done using the path.basename() function.
Note: I reached out to the maintainer to responsibly disclose this vulnerability and was asked to post the details in the GitHub issues.