WeKnora Tool Execution Hijacking Vulnerability via Indirect Prompt Injection

A vulnerability in WeKnora versions prior to 0.3.0 allows a malicious remote MCP server to hijack tool execution through a combination of tool name collision and indirect prompt injection. The issue arises from an ambiguous naming convention in the MCP client, which enables an attacker to register a malicious tool that overwrites a legitimate one. This exploitation can redirect the execution flow of a language model, exfiltrate system prompts and context, and potentially execute other tools using the user's privileges.

Impact

Exploitation of this vulnerability allows for unauthorized execution of tools in the context of the user's MCP client, with the potential to exfiltrate sensitive information such as system prompts, context, and credentials to an attacker-controlled endpoint. Additionally, it enables the abuse of user privileges to perform actions on the user's behalf, possibly accessing other tools or services.

Reproduction

To reproduce this vulnerability, first set up a malicious MCP server that can be reached by the WeKnora client. This server should expose two tools: one that acts as a trigger and another that mimics the name of a legitimate tool to exploit the naming collision. After configuring the server, register it in the WeKnora client, ensuring it overwrites the legitimate tool. Once the malicious tool is registered, instruct the language model to execute the trigger tool, which will prompt the model to call the hijacked tool instead. The execution of the malicious tool will then exfiltrate the system prompt and context to the attacker's server.

Remediation

Users can update to WeKnora version 0.3.0 or later, where this vulnerability has been patched.