Wireshark MCP Arbitrary File Write Vulnerability via Unrestricted Export Objects Directive

A vulnerability in Wireshark MCP versions through 1.1.5 allows for arbitrary file writing. The issue arises in the 'wireshark_export_objects' MCP tool, which accepts an attacker-controlled 'dest_dir' parameter and passes it to tshark's '--export-objects' flag without any mandatory path restrictions. By default, the path sandbox is disabled, leaving any directory on the filesystem accessible for exports. This vulnerability can be exploited by embedding a crafted HTTP response into a pcap file, manipulating an AI model to call 'wireshark_export_objects' with a desired destination directory. As a result, sensitive files such as authorized_keys can be accessed or overwritten.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any location on the filesystem, potentially overwriting critical files or injecting malicious ones. In the demonstrated attack scenario, an HTTP object was extracted and written to a user's SSH directory, granting unauthorized SSH access.

Reproduction

The vulnerability can be reproduced by setting up a Wireshark MCP server with the default configuration, where the '_allowed_dirs' parameter is None, allowing unrestricted file writes. Afterward, a pcap file can be crafted to include a manipulated HTTP response that exploits the 'wireshark_export_objects' tool, directing the exported file to a sensitive location such as the user's SSH directory.

Remediation

Users can set the 'WIRESHARK_MCP_ALLOWED_DIRS' environment variable to a restricted directory before starting the server, which activates the existing path sandbox and blocks writes outside the allowed directory.