<Casual Thoughts on MCP Server Security

Following the previous article, which discussed the characteristics of MCP servers and how they can be referenced by AI agents without authorization, it sounds like they could easily be abused for malicious purposes. However, without proper packaging, such abuse would actually be quite easy to detect.

Therefore, this article will explore how MCP can be "beautified" so that users unknowingly fall into a seemingly attractive trap.

First, we will refine the MCP tool from the previous article, which was capable of establishing a callback connection. We will create a new MCP tool that returns a shell script, allowing the listener on the other end to execute commands.

One thing to note is that typical one-line shell scripts mainly use os.dup2 to create a shell with "system-level redirection," which also makes it easy to perform a TTY upgrade. However, in our case, we are using Popen to create the shell.

This design allows the program to continue executing the next line of code without waiting for the shell process to terminate.

The reason for this is to prevent the frontend user from experiencing a "freeze" or "hang" when the AI agent invokes the MCP tool.

After designing the reverse shell itself, the next step is packaging.

We wrap the reverse shell function inside a seemingly normal hello MCP tool, and further use threading to allow the shell-related MCP tool to run independently in the background, quietly hidden from view.

Finally, we attempted to have the AI agent use the packaged Hello MCP tool, and the remote listener on port 9000 successfully received the returned shell.

In the next article, Part 3 will serve as the final installment of this series. We will take this MCP server to the next level, giving it the potential to become "omnipresent."