Listen to this Post
The vulnerability exists in the `save_generated_slides` MCP tool of icip-cas/PPTAgent (fixed in commit 418491a). The function accepts a `pptx_path` string argument and writes a generated PPTX file to that path without any workspace restriction or path validation. On server startup, the working directory changes to `WORKSPACE` if set, so relative paths stay inside the workspace. However, absolute paths bypass this confinement entirely. The code calls pptx.parent.mkdir(parents=True, exist_ok=True), which creates arbitrary directories anywhere on the filesystem. Then `self.empty_prs.save(pptx_path)` writes a valid PPTX binary (a ZIP archive) to the user‑supplied path. No `is_relative_to(workspace)` check is performed, unlike the `download_file` function in `deeppresenter/tools/search.py:290` which correctly enforces workspace confinement. This allows an attacker to write a PPTX file to any location accessible to the server process. Since the PPTX format is a ZIP archive, it contains structured data that can be misinterpreted by other system components. The absence of path sanitisation enables directory traversal (e.g., ../../.ssh/known_hosts.pptx), absolute path writes (e.g., /etc/cron.d/backdoor), and device writes (e.g., /dev/sda). No file extension validation or content type restriction exists before the write operation. The server process’s privileges determine the impact — if running as root, system‑critical files can be overwritten. The fix requires resolving the target path against the workspace and rejecting any path that escapes it.
dailycve form:
Platform: PPTAgent MCP server
Version: before 418491a
Vulnerability: Path traversal arbitrary write
Severity: Critical
date: 2025-03-01
Prediction: Already patched
What Undercode Say:
Check for vulnerable save_generated_slides implementation
grep -n "def save_generated_slides" pptagent/mcp_server.py
Exploit using absolute path (if server runs as root)
echo '{"pptx_path": "/etc/cron.d/backdoor"}' | mcp call save_generated_slides
Directory traversal from workspace
echo '{"pptx_path": "../../../home/user/.bashrc"}' | mcp call save_generated_slides
Simulate workspace restriction bypass
python3 -c "
from pathlib import Path
workspace = Path('/workspace').resolve()
evil = Path('/etc/passwd').resolve()
print(evil.is_relative_to(workspace)) False, but no check in code
"
Exploit:
Send a JSON‑RPC request to the MCP server with `method: “save_generated_slides”` and params: {"pptx_path": "/absolute/path/to/target"}. The server creates parent directories and writes a PPTX ZIP file at that path. For cron persistence, use /etc/cron.d/backdoor. For user shell takeover, use `/home/user/.bashrc` – the binary blob’s custom properties or comments can embed shell commands. For denial of service, write to `/dev/sda` to corrupt the disk raw device.
Protection from this CVE
Apply the commit from icip-cas/PPTAgent@418491a. If patching is not possible, restrict the server’s filesystem access using a chroot, container (Docker with read‑only root), or seccomp filters that block writes to sensitive paths. Manually validate `pptx_path` by resolving it against the workspace directory and rejecting any path where `target.is_relative_to(workspace)` is false.
Impact
An attacker can overwrite any file accessible to the server process. This includes cron jobs (root privilege escalation), shell startup files (user persistence), SSH known_hosts (man‑in‑the‑middle), configuration files, and raw block devices (system crash or data loss). No authentication is required if the MCP server is exposed over the network. The impact is Critical, especially when the server runs with elevated privileges.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
