AstrBotDevs AstrBot Command Injection Vulnerability in MCP Endpoint

A command injection vulnerability has been identified in the MCP (Model Context Protocol) endpoint of AstrBotDevs AstrBot, affecting versions through 4.22.1. The vulnerability resides in the 'add_mcp_server' function within 'astrbot/dashboard/routes/tools.py'. It allows authenticated dashboard users to execute arbitrary system commands by manipulating the 'command' argument of the MCP server configuration. This exploitation occurs remotely, with the injected command executed immediately during a connection test, bypassing any validation or restrictions.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where AstrBot is running, with the commands executed under the same privileges as the AstrBot process. This could lead to unauthorized access to sensitive data, establishment of a reverse shell for persistent access, or lateral movement within the network.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/tools/mcp/add' endpoint with a 'command' field containing the desired executable and an 'args' field for command-line arguments. Include a valid JWT token in the Authorization header. The server will execute the command as a subprocess, demonstrating the command injection.

Remediation

It is recommended to implement command allowlisting for the MCP server configurations, ensuring that only specified commands can be executed. Additionally, validating the 'args' field to reject arguments with shell metacharacters, separating the configuration saving from connection testing, adding confirmation dialogs for MCP server additions, and logging all MCP configuration changes with user attribution could help mitigate this vulnerability.