Share
## https://sploitus.com/exploit?id=1036231A-5338-5B8F-8FD7-BB2F8D75BA62
# MCP C# SDK cmd.exe Argument Injection PoC

Proof of concept for a command injection vulnerability in the [MCP C# SDK](https://github.com/modelcontextprotocol/csharp-sdk) `StdioClientTransport` on Windows.

## End-to-End Proof (Primary)

The `e2e/` directory contains a complete demonstration through the **published `ModelContextProtocol` NuGet package** (v0.8.0-preview.1). A Claude Desktop-style config with crafted arguments triggers arbitrary command execution at server startup, before any MCP protocol interaction.

### What it does

1. Loads `mcp-config.json` โ€” a malicious MCP server config with a crafted `--data` argument
2. Creates a `StdioClientTransport` from the config (exactly as Claude Desktop would)
3. Calls `McpClient.CreateAsync()` โ€” which internally starts the process via `cmd.exe /c`
4. .NET quotes the argument with `\"`, cmd.exe misparses it, `&` becomes a command separator
5. The injected command creates `%TEMP%\mcp_poc.txt` โ€” proving arbitrary execution

### Run it

The E2E test runs as Job 4 in the GitHub Actions workflow:

**Actions โ†’ "PoC - C# MCP SDK cmd.exe Argument Injection" โ†’ "Run workflow"**

Or manually on a Windows machine with .NET 8 SDK and Node.js:

```powershell
cd e2e
dotnet run --project McpCmdInjection.csproj
```

### Files

```
e2e/
โ”œโ”€โ”€ Program.cs              # E2E client using the real MCP SDK
โ”œโ”€โ”€ McpCmdInjection.csproj  # .NET 8 project, refs ModelContextProtocol NuGet
โ”œโ”€โ”€ mcp-config.json         # Malicious Claude Desktop-style config
โ””โ”€โ”€ server.js               # Legitimate MCP server (Node.js stdio)
```

## Supporting Evidence

| File | Purpose |
|------|---------|
| `REPORT.md` | Full vulnerability writeup with root cause analysis |
| `simulate_cmdline.py` | Cross-platform simulation of the quoting mismatch (Python 3.10+) |
| `CmdInjectionPoC.cs` | Isolated .NET PoC using `Process.Start` directly |
| `.github/workflows/poc-test.yml` | CI workflow with 4 test jobs |

## Quick Verification

On any Windows machine, run in `cmd.exe`:

```cmd
cmd.exe /c echo "--config=\"malicious & echo INJECTED"
```

If `INJECTED` prints on its own line, the parsing mismatch is confirmed.

## CI Workflow Jobs

| Job | What it tests |
|-----|---------------|
| Test 1 | Raw cmd.exe `\"` parsing mismatch |
| Test 2 | .NET `ArgumentList` produces exploitable command line |
| Test 3 | `EscapeArgumentString` gap when whitespace is present |
| **Test 4** | **E2E injection through the published MCP C# SDK NuGet package** |