LSTM-Kirigaya Openmcp-Client Visual Studio Code Extension OS Command Injection Vulnerability

A command injection vulnerability has been identified in the LSTM-Kirigaya openmcp-client Visual Studio Code extension, prior to version 0.1.12. This vulnerability occurs when Windows users connect to a maliciously controlled MCP server. Attackers can inject a harmful authorization server endpoint, which is then processed by the extension. This exploitation takes place during the OAuth authorization flow, where the extension uses a command that opens a browser for user authentication. The injected command is executed on the user's operating system, leading to a compromise of the client's system.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected user's system, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, connect to an attacker-controlled MCP server using the openmcp-client extension version prior to 0.1.12 on a Windows machine. The attacker can then inject a malicious authorization endpoint into the OAuth metadata discovery flow. When the openmcp-client attempts to open the authorization URL, the injected command is executed on the user's system. This exploitation can be automated with a provided Python script, which, when used in conjunction with the vulnerable extension, demonstrates the command injection by executing a calculator application and creating a file in the user's temp directory.

Remediation

Users are advised to update the openmcp-client extension to version 0.1.12 or later, where this vulnerability has been patched.