AgentDeskAI Browser-Tools-MCP OS Command Injection Vulnerability

A command injection vulnerability has been identified in AgentDeskAI's Browser-Tools-MCP, specifically in versions up to 1.2.0. The issue arises from the improper handling of file path data in the browser-connector.ts file, allowing attacker-controlled input to be interpolated into a command that executes AppleScript via the 'osascript' command. This vulnerability can be exploited remotely, particularly on macOS systems where the 'autoPaste' feature is enabled, leading to arbitrary command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, with the potential to read sensitive files, alter system configurations, and disrupt services or consume system resources.

Reproduction

To reproduce this vulnerability, first ensure that the target application is running on macOS and that the 'autoPaste' feature is enabled. Then, send a crafted WebSocket message to the '/extension-ws' endpoint, including a file path that contains command injection payloads. This will trigger the command execution via AppleScript.

Remediation

It is recommended to disable the 'autoPaste' feature in production environments, bind the service to localhost when possible, validate and normalize path inputs, and add authentication for the HTTP and WebSocket interfaces.