ADB MCP Server Command Injection Vulnerability
Vulnerability
A command injection vulnerability has been identified in the ADB MCP Server, a Model Context Protocol server for interacting with Android devices via ADB. This vulnerability exists in versions through 0.1.0 and allows for remote command execution on the server host by injecting malicious commands that are executed in the shell. The issue arises because the server's tool definitions can be manipulated to include arbitrary command-line arguments, which are then executed using Node.js's child process API in an unsafe manner.
Impact
Exploitation of this vulnerability allows for user-initiated and remote command injection on the server running the ADB MCP Server.
Reproduction
To reproduce this vulnerability, load the ADB MCP Server and use the 'inspect_ui' tool while injecting a payload that includes special shell characters, such as '; rm -rf /tmp;#'. The injected command will be executed on the host machine, demonstrating the command injection vulnerability.
Remediation
Users are advised to update to the patched version of ADB MCP Server, which is available on the project's GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.