Skip to content
ATR-2026-02146criticalPrivilege Escalationexperimental

Export/Extract Tool Directory Parameter Redirected to a Credential Directory

Detects an agent/MCP tool call for an export, merge, or extract-type operation (network-capture object export, archive merge, file extraction) whose destination-directory parameter (dest_dir/output_dir/export_dir/ extract_dir/save_dir) is set directly to a credential/config directory (~/.ssh, ~/.aws, ~/.gnupg, ~/.docker, ~/.kube) rather than the tool's intended working/output location. Unlike a path-traversal payload, no "../" sequence is needed here — the directory parameter is a legitimate, documented tool argument that is simply pointed at a sensitive location, which lets the export write attacker-named files (e.g. one named "authorized_keys") directly into that directory. Mined from GHSA-3r68-x3xc-rxpg (CVE-2026-43901, Wireshark MCP's wireshark_export_objects and six sibling file-write functions default their path sandbox, _allowed_dirs, to None so it "permits writes to any filesystem location" unless an operator explicitly configures an allowlist env var): "An attacker embeds a crafted HTTP response in a pcap file (e.g. Content-Disposition: filename=authorized_keys). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling wireshark_export_objects with: dest_dir=/home/user/.ssh/". Generalized beyond Wireshark MCP to any export/merge/extract tool exposing a destination-directory argument.

Severity
critical
Category
Privilege Escalation
Scan Target
mcp
Author
ATR Community (CVE sweep)

Response Actions

block inputalert

References

OWASP Agentic
ASI02:2026 - Tool Misuse and Exploitation
OWASP LLM
LLM08:2025 - Excessive Agency
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise

Detection Conditions

Combinator: any
  1. 01
    Export/extract-tool destination-directory argument set directly to a credential/config directory
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. wireshark_export_objects(dest_dir="/home/user/.ssh/")
  2. wireshark_export_objects(dest_dir="~/.ssh/")
  3. merge_pcap_files(output_dir="/home/user/.aws/")
  4. {"export_dir": "~/.gnupg/"}

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. Destination directory pointed at an ordinary Downloads folder
    dest_dir="/home/user/Downloads/"
  2. Destination directory pointed at an ordinary temp export folder
    output_dir=/tmp/pcap_exports/

Known False Positive Contexts

  • A destination-directory argument pointed at the tool's own configured output/working directory (Downloads, /tmp, a project workspace), even when it is an absolute path — this rule only fires on the specific credential directories listed (.ssh, .aws, .gnupg, .docker, .kube)
  • A legitimate SSH/cloud-credential management skill whose documented purpose is to read or back up its own ~/.ssh or ~/.aws directory — should be reviewed for context since the parameter shape is identical to the attack

Full YAML Definition

Edit on GitHub →
title: "Export/Extract Tool Directory Parameter Redirected to a Credential Directory"
id: ATR-2026-02146
rule_version: 2
status: experimental
description: >
  Detects an agent/MCP tool call for an export, merge, or extract-type
  operation (network-capture object export, archive merge, file extraction)
  whose destination-directory parameter (dest_dir/output_dir/export_dir/
  extract_dir/save_dir) is set directly to a credential/config directory
  (~/.ssh, ~/.aws, ~/.gnupg, ~/.docker, ~/.kube) rather than the tool's
  intended working/output location. Unlike a path-traversal payload, no
  "../" sequence is needed here — the directory parameter is a legitimate,
  documented tool argument that is simply pointed at a sensitive location,
  which lets the export write attacker-named files (e.g. one named
  "authorized_keys") directly into that directory. Mined from
  GHSA-3r68-x3xc-rxpg (CVE-2026-43901, Wireshark MCP's
  wireshark_export_objects and six sibling file-write functions default
  their path sandbox, _allowed_dirs, to None so it "permits writes to any
  filesystem location" unless an operator explicitly configures an
  allowlist env var): "An attacker embeds a crafted HTTP response in a pcap
  file (e.g. Content-Disposition: filename=authorized_keys). Via prompt
  injection in the pcap payload, an AI model using this MCP server is
  manipulated into calling wireshark_export_objects with:
  dest_dir=/home/user/.ssh/". Generalized beyond Wireshark MCP to any
  export/merge/extract tool exposing a destination-directory argument.
author: "ATR Community (CVE sweep)"
date: "2026/07/11"
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: critical

references:
  owasp_llm:
    - "LLM08:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI02:2026 - Tool Misuse and Exploitation"
  mitre_attack:
    - "T1552 - Unsecured Credentials"
    - "T1098.004 - Account Manipulation: SSH Authorized Keys"
  mitre_atlas:
    - "AML.T0053 - LLM Plugin Compromise"
  cve:
    - "CVE-2026-43901"
  external:
    - "https://github.com/bx33661/Wireshark-MCP/security/advisories/GHSA-3r68-x3xc-rxpg"

metadata_provenance:
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed
  mitre_attack: human-reviewed
  mitre_atlas: human-reviewed
  cve: nvd-sync

compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their behaviour or environment; this rule detects an export/extract tool's destination-directory argument being redirected into a credential directory to plant attacker-controlled files there."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control for the dest-dir credential-directory-redirect risk class."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MG.2.3"
      context: "Treating export-tool dest-dir redirection into a credential directory as an identified AI risk requires active runtime countermeasures; this detection rule is the primary risk treatment implementation."
      strength: primary
    - subcategory: "MP.5.1"
      context: "Identifying the dest-dir credential-directory-redirect technique as an AI risk to be catalogued in the organizational risk register."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) is operationalised by this rule's detection of export-tool directory redirection."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is implemented via this rule's runtime detection of the redirection attempt."
      strength: secondary

tags:
  category: privilege-escalation
  subcategory: export-tool-dest-dir-redirect
  scan_target: mcp
  confidence: high

agent_source:
  type: llm_io
  framework:
    - any
  provider:
    - any

detection:
  condition: any
  conditions:
    - field: content
      operator: regex
      value: '(?i)\b(?:dest_dir|output_dir|export_dir|extract_dir|save_dir|out_dir)\b["\x27]?\s*[:=]\s*["\x27]?(?:~|\$HOME)?/?(?:home/[^/\s"\x27]+/)?\.(?:ssh|aws|gnupg|docker|kube)\b'
      description: "Export/extract-tool destination-directory argument set directly to a credential/config directory"
  false_positives:
    - "A destination-directory argument pointed at the tool's own configured output/working directory (Downloads, /tmp, a project workspace), even when it is an absolute path — this rule only fires on the specific credential directories listed (.ssh, .aws, .gnupg, .docker, .kube)"
    - "A legitimate SSH/cloud-credential management skill whose documented purpose is to read or back up its own ~/.ssh or ~/.aws directory — should be reviewed for context since the parameter shape is identical to the attack"

response:
  actions:
    - block_input
    - alert
  message_template: >
    [ATR-2026-02146] Export/extract tool's destination-directory argument is
    set directly to a credential directory (.ssh/.aws/.gnupg/.docker/.kube) —
    treat as an attempt to plant or overwrite files there, not a routine
    output-path configuration.

confidence: 80
wild_fp_rate: 0

test_cases:
  true_positives:
    - input: 'wireshark_export_objects(dest_dir="/home/user/.ssh/")'
      expected: triggered
      description: "GHSA-3r68-x3xc-rxpg disclosed pcap-injection PoC — dest_dir redirected to ~/.ssh"
    - input: 'wireshark_export_objects(dest_dir="~/.ssh/")'
      expected: triggered
      description: "Tilde-relative variant of the same dest_dir redirection"
    - input: 'merge_pcap_files(output_dir="/home/user/.aws/")'
      expected: triggered
      description: "Sibling export-family function redirected to the AWS credentials directory"
    - input: '{"export_dir": "~/.gnupg/"}'
      expected: triggered
      description: "JSON-style tool-args export_dir redirected to the GnuPG directory"
  true_negatives:
    - input: 'dest_dir="/home/user/Downloads/"'
      expected: not_triggered
      description: "Destination directory pointed at an ordinary Downloads folder"
    - input: "output_dir=/tmp/pcap_exports/"
      expected: not_triggered
      description: "Destination directory pointed at an ordinary temp export folder"

Revision History

Created
2026-07-11
Last modified
2026-07-12
View full commit history on GitHub →