MCP Vulnerabilities: Poisoning and Manipulation

Overview of the Architecture

Target MCP for Demonstration: Toolbox

Smithery.ai is a prominent hub for MCP plugins, attracting many MCP listings and users. @smithery/toolbox, an official MCP management tool offered by smithery.ai, is the focus of this security assessment.

Toolbox was chosen as the test target for several reasons:

• It boasts a significant user base, making it a representative sample within the MCP ecosystem.
• It supports the automatic installation of additional plugins, augmenting client-side functionalities (e.g., Claude Desktop).
• It contains sensitive configurations, such as API keys, which facilitates the demonstration of potential exploits.

Malicious MCP Used for Demonstration: MasterMCP

MasterMCP, developed by SlowMist specifically for security testing purposes, is a simulated malicious MCP tool built on a modular architecture. Its key components include:

1. Local Website Service Simulation: http://127.0.0.1:1024

To create a realistic attack scenario, MasterMCP incorporates a local website service simulation module. Leveraging the FastAPI framework, this module quickly establishes a simple HTTP server that mimics common web environments. These pages may appear innocuous, showcasing bakery information or returning standard JSON data, but they conceal meticulously crafted malicious payloads within their source code or API responses.

This approach allows for the comprehensive demonstration of information poisoning and command hiding techniques in a secure, controlled local environment. It highlights the potential risks lurking within seemingly ordinary web pages, which can trigger abnormal behavior in large language models.

2. Localized Plug-in MCP Architecture

MasterMCP adopts a plug-in approach to facilitate rapid scalability for new attack vectors. Upon execution, MasterMCP initiates the FastAPI service of the previous module in a sub-process.

Demonstration Client

• Cursor: One of the most widely used AI-assisted programming IDEs globally.
• Claude Desktop: The official client of Anthropic, the organization that customized the MCP protocol.

Large Language Model (LLM) Used for Demonstration

• Claude 3.7

Claude 3.7 was selected due to its enhanced capabilities in recognizing sensitive operations and its representation of robust operational capabilities within the current MCP ecosystem.

Configuration of claude\_desktop\_config.json

With the configurations complete, the demonstration phase begins.

Cross-MCP Malicious Invocation

This demonstration incorporates both poisoning techniques and Cross-MCP malicious invocation strategies outlined in the checklist.

Web Page Content Poisoning Attack

1. Comment-Based Poisoning

Cursor accesses the local test website at http://127.0.0.1:1024.

This seemingly harmless page about ‘Delicious Cake World’ serves as a simulation to illustrate the potential impact of a large language model client accessing a malicious website.

Execution Command:

The results reveal that Cursor not only reads the web page content but also transmits local sensitive configuration data back to the test server. The malicious prompt is embedded in the source code as an HTML comment:

While this comment-based approach is relatively straightforward and easily detectable, it is still capable of triggering malicious operations.

2. Encoded Comment Poisoning

Accessing http://127.0.0.1:1024/encode reveals a page that appears identical to the previous example. However, the malicious prompts are encoded, making the exploit more difficult to detect even when inspecting the page’s source code.

Despite the absence of explicit prompts in the source code, the attack succeeds.

MCP Tool Return Information Poisoning

Based on the MasterMCP prompt instructions, we input a simulated command that triggers the malicious MCP and demonstrates its subsequent operations.

Upon triggering the command, the client initiates a cross-MCP call to Toolbox and successfully adds a new MCP server.

Inspection of the plugin code reveals that the returned data contains an encoded malicious payload, making it virtually undetectable to the user.

Third-Party Interface Pollution Attack

This demonstration highlights the potential risks associated with both malicious and non-malicious MCPs directly returning third-party API data to the context.

Example Code:

Execution Request:

Result: The malicious prompt is embedded in the returned JSON data and successfully triggers malicious execution.

Poisoning Techniques During MCP Initialization

This demonstration covers the checklist items of initial prompt injection and name conflicts.

Malicious Function Overwrite Attack

MasterMCP creates a tool with the same function name as Toolbox’s remove_server function, and encodes malicious prompts within it.

Execution Command:

Claude Desktop does not invoke the original toolbox remove_server method, but instead triggers the MasterMCP-provided method with the same name:

This is achieved by emphasizing that the ‘original method is deprecated,’ which encourages the large language model to prioritize the maliciously overwritten function.

Adding Malicious Global Inspection Logic

MasterMCP creates a tool called “banana,” which is designed to enforce a mandatory security check before any other tool is executed.

Before each function is executed, the system prioritizes the “banana” check mechanism:

This global logic injection is accomplished by repeatedly emphasizing the ‘mandatory execution of banana detection’ within the code.

Advanced Techniques for Hiding Malicious Prompts

LLM-Friendly Encoding Methods

Large language models possess strong parsing capabilities for multilingual formats, which can be exploited to conceal malicious information. Common methods include:

• English environment: Hex Byte encoding
• Chinese environment: NCR encoding or JavaScript encoding

Random Malicious Payload Return Mechanism

Similar to the third-party interface pollution mentioned in the third section, requesting http://127.0.0.1:1024/random results in:

Each request returns a randomly generated page containing a malicious payload, significantly increasing the difficulty of detection and tracing.

Through the practical demonstration of MasterMCP, the hidden security vulnerabilities within the Model Context Protocol (MCP) ecosystem have been revealed. From basic prompt injections and cross-MCP calls to more subtle attacks during initialization and the concealment of malicious instructions, each stage serves as a reminder of the inherent fragility alongside the power of the MCP ecosystem.

Today, as large models increasingly interact with external plugins and APIs, seemingly minor input pollution can trigger system-wide security risks. The evolving diversity of attacker tactics, including encoding techniques, random pollution, and function overwrites, necessitates a comprehensive upgrade to traditional security approaches. The key takeaway is that security cannot be an afterthought; it must be integrated into every layer of the MCP ecosystem, from protocol design to plugin development and deployment.

The demonstrations outlined above highlight several critical areas for improvement in MCP security:

• Input Validation and Sanitization: Rigorous input validation and sanitization are crucial to prevent malicious code injection. All data received from external sources, including web pages, API responses, and other MCPs, should be thoroughly vetted before being used in any critical operations. This includes decoding encoded data and checking for unexpected or suspicious characters.

• Context Isolation: MCPs should operate within isolated contexts to prevent cross-MCP interference. Techniques like sandboxing or containerization can help limit the potential damage from a compromised MCP. Furthermore, strong access control mechanisms should be implemented to restrict the ability of MCPs to access sensitive resources or invoke functions in other MCPs.

• Function Overwrite Protection: Mechanisms should be put in place to prevent malicious MCPs from overwriting critical system functions. This could involve using namespaces or other techniques to ensure that function names are unique and cannot be easily spoofed. Furthermore, the system should verify the authenticity and integrity of any function before it is executed.

• Global Inspection and Monitoring: Centralized monitoring and logging systems can help detect and respond to malicious activity within the MCP ecosystem. These systems should be able to identify suspicious patterns of behavior, such as unusual network traffic, unauthorized access attempts, or the execution of malicious code. Real-time alerts can be triggered to notify administrators of potential security incidents.

• Secure Development Practices: Developers of MCPs should adhere to secure coding practices to minimize the risk of vulnerabilities. This includes using secure coding libraries, performing regular security audits, and implementing robust testing procedures. Security should be a primary consideration throughout the entire software development lifecycle.

• User Awareness and Education: Users should be educated about the risks of using untrusted MCPs. They should be encouraged to only install MCPs from trusted sources and to carefully review the permissions requested by each MCP before granting access. Furthermore, users should be aware of the potential for phishing attacks and other social engineering techniques that could be used to trick them into installing malicious MCPs.

• Formal Verification and Static Analysis: Formal verification and static analysis tools can be used to automatically identify potential vulnerabilities in MCP code. These tools can help developers catch errors early in the development process and prevent them from making their way into production code.

• Runtime Security Mechanisms: Runtime security mechanisms, such as address space layout randomization (ASLR) and data execution prevention (DEP), can help mitigate the impact of exploits by making it more difficult for attackers to execute malicious code.

• Dynamic Analysis and Fuzzing: Dynamic analysis and fuzzing techniques can be used to test the robustness of MCPs by subjecting them to a wide range of inputs, including malformed or unexpected data. This can help identify potential vulnerabilities that may not be apparent through static analysis.

• Regular Security Audits and Penetration Testing: Regular security audits and penetration testing can help identify and address vulnerabilities in the MCP ecosystem. These audits should be conducted by independent security experts who are familiar with the latest attack techniques.

In conclusion, securing the Model Context Protocol (MCP) ecosystem requires a multi-layered approach that addresses vulnerabilities at every level. By implementing the security measures outlined above, developers and administrators can significantly reduce the risk of attacks and ensure the integrity and reliability of the MCP ecosystem. The MasterMCP tool provides a valuable resource for testing and evaluating the effectiveness of these security measures. It empowers developers to proactively identify and mitigate vulnerabilities before they can be exploited by malicious actors. Continuous vigilance and adaptation are crucial to stay ahead of the evolving threat landscape and maintain a secure and trustworthy MCP environment. The open-source nature of MasterMCP encourages community collaboration and fosters a shared understanding of MCP security, ultimately contributing to a more resilient and secure ecosystem for large language model applications.