Tufantunc ssh-mcp Information Exposure Vulnerability

A local information exposure vulnerability exists in Tufantunc ssh-mcp versions through 1.5.0. The issue arises in the Command Line Handler component, specifically within an unknown function in the file src/index.ts. This vulnerability allows SSH credentials to be passed via command-line options, which are then exposed to unprivileged local users. The process arguments can be read through standard Linux utilities, such as 'ps' or '/proc//cmdline', leading to unauthorized access to plaintext passwords. The vulnerability has been publicly disclosed and could be exploited by any local user on the same host.

Impact

Exploitation of this vulnerability results in the exposure of SSH credentials, including passwords for sudo and su access, from the command-line arguments of the running process. This credential leakage violates secure handling of sensitive information and could be exploited by local users to gain elevated privileges or access restricted commands.

Reproduction

The vulnerability can be reproduced by starting the ssh-mcp server and passing SSH credentials through the command-line options '--password', '--sudoPassword', and '--suPassword'. Once the server is running, these plaintext credentials can be retrieved by any local user from the process command-line string using 'ps' or by reading '/proc/<pid>/cmdline'.