Export/Extract Tool Directory Parameter Redirected to a Credential Directory
Detects an agent/MCP tool call for an export, merge, or extract-type operation (network-capture object export, archive merge, file extraction) whose destination-directory parameter (dest_dir/output_dir/export_dir/ extract_dir/save_dir) is set directly to a credential/config directory (~/.ssh, ~/.aws, ~/.gnupg, ~/.docker, ~/.kube) rather than the tool's intended working/output location. Unlike a path-traversal payload, no "../" sequence is needed here — the directory parameter is a legitimate, documented tool argument that is simply pointed at a sensitive location, which lets the export write attacker-named files (e.g. one named "authorized_keys") directly into that directory. Mined from GHSA-3r68-x3xc-rxpg (CVE-2026-43901, Wireshark MCP's wireshark_export_objects and six sibling file-write functions default their path sandbox, _allowed_dirs, to None so it "permits writes to any filesystem location" unless an operator explicitly configures an allowlist env var): "An attacker embeds a crafted HTTP response in a pcap file (e.g. Content-Disposition: filename=authorized_keys). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling wireshark_export_objects with: dest_dir=/home/user/.ssh/". Generalized beyond Wireshark MCP to any export/merge/extract tool exposing a destination-directory argument.
建議回應
參考資料
偵測條件
組合方式: any- 01Export/extract-tool destination-directory argument set directly to a credential/config directory欄位: content運算子: regex
攻擊範例(規則會觸發)
wireshark_export_objects(dest_dir="/home/user/.ssh/")
wireshark_export_objects(dest_dir="~/.ssh/")
merge_pcap_files(output_dir="/home/user/.aws/")
{"export_dir": "~/.gnupg/"}
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Destination directory pointed at an ordinary Downloads folder
dest_dir="/home/user/Downloads/"
- Destination directory pointed at an ordinary temp export folder
output_dir=/tmp/pcap_exports/
已知誤報情境
- ▸A destination-directory argument pointed at the tool's own configured output/working directory (Downloads, /tmp, a project workspace), even when it is an absolute path — this rule only fires on the specific credential directories listed (.ssh, .aws, .gnupg, .docker, .kube)
- ▸A legitimate SSH/cloud-credential management skill whose documented purpose is to read or back up its own ~/.ssh or ~/.aws directory — should be reviewed for context since the parameter shape is identical to the attack
完整 YAML 定義
在 GitHub 編輯 →title: "Export/Extract Tool Directory Parameter Redirected to a Credential Directory"
id: ATR-2026-02146
rule_version: 2
status: experimental
description: >
Detects an agent/MCP tool call for an export, merge, or extract-type
operation (network-capture object export, archive merge, file extraction)
whose destination-directory parameter (dest_dir/output_dir/export_dir/
extract_dir/save_dir) is set directly to a credential/config directory
(~/.ssh, ~/.aws, ~/.gnupg, ~/.docker, ~/.kube) rather than the tool's
intended working/output location. Unlike a path-traversal payload, no
"../" sequence is needed here — the directory parameter is a legitimate,
documented tool argument that is simply pointed at a sensitive location,
which lets the export write attacker-named files (e.g. one named
"authorized_keys") directly into that directory. Mined from
GHSA-3r68-x3xc-rxpg (CVE-2026-43901, Wireshark MCP's
wireshark_export_objects and six sibling file-write functions default
their path sandbox, _allowed_dirs, to None so it "permits writes to any
filesystem location" unless an operator explicitly configures an
allowlist env var): "An attacker embeds a crafted HTTP response in a pcap
file (e.g. Content-Disposition: filename=authorized_keys). Via prompt
injection in the pcap payload, an AI model using this MCP server is
manipulated into calling wireshark_export_objects with:
dest_dir=/home/user/.ssh/". Generalized beyond Wireshark MCP to any
export/merge/extract tool exposing a destination-directory argument.
author: "ATR Community (CVE sweep)"
date: "2026/07/11"
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: critical
references:
owasp_llm:
- "LLM08:2025 - Excessive Agency"
owasp_agentic:
- "ASI02:2026 - Tool Misuse and Exploitation"
mitre_attack:
- "T1552 - Unsecured Credentials"
- "T1098.004 - Account Manipulation: SSH Authorized Keys"
mitre_atlas:
- "AML.T0053 - LLM Plugin Compromise"
cve:
- "CVE-2026-43901"
external:
- "https://github.com/bx33661/Wireshark-MCP/security/advisories/GHSA-3r68-x3xc-rxpg"
metadata_provenance:
owasp_llm: human-reviewed
owasp_agentic: human-reviewed
mitre_attack: human-reviewed
mitre_atlas: human-reviewed
cve: nvd-sync
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their behaviour or environment; this rule detects an export/extract tool's destination-directory argument being redirected into a credential directory to plant attacker-controlled files there."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control for the dest-dir credential-directory-redirect risk class."
strength: secondary
nist_ai_rmf:
- subcategory: "MG.2.3"
context: "Treating export-tool dest-dir redirection into a credential directory as an identified AI risk requires active runtime countermeasures; this detection rule is the primary risk treatment implementation."
strength: primary
- subcategory: "MP.5.1"
context: "Identifying the dest-dir credential-directory-redirect technique as an AI risk to be catalogued in the organizational risk register."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) is operationalised by this rule's detection of export-tool directory redirection."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is implemented via this rule's runtime detection of the redirection attempt."
strength: secondary
tags:
category: privilege-escalation
subcategory: export-tool-dest-dir-redirect
scan_target: mcp
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
conditions:
- field: content
operator: regex
value: '(?i)\b(?:dest_dir|output_dir|export_dir|extract_dir|save_dir|out_dir)\b["\x27]?\s*[:=]\s*["\x27]?(?:~|\$HOME)?/?(?:home/[^/\s"\x27]+/)?\.(?:ssh|aws|gnupg|docker|kube)\b'
description: "Export/extract-tool destination-directory argument set directly to a credential/config directory"
false_positives:
- "A destination-directory argument pointed at the tool's own configured output/working directory (Downloads, /tmp, a project workspace), even when it is an absolute path — this rule only fires on the specific credential directories listed (.ssh, .aws, .gnupg, .docker, .kube)"
- "A legitimate SSH/cloud-credential management skill whose documented purpose is to read or back up its own ~/.ssh or ~/.aws directory — should be reviewed for context since the parameter shape is identical to the attack"
response:
actions:
- block_input
- alert
message_template: >
[ATR-2026-02146] Export/extract tool's destination-directory argument is
set directly to a credential directory (.ssh/.aws/.gnupg/.docker/.kube) —
treat as an attempt to plant or overwrite files there, not a routine
output-path configuration.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: 'wireshark_export_objects(dest_dir="/home/user/.ssh/")'
expected: triggered
description: "GHSA-3r68-x3xc-rxpg disclosed pcap-injection PoC — dest_dir redirected to ~/.ssh"
- input: 'wireshark_export_objects(dest_dir="~/.ssh/")'
expected: triggered
description: "Tilde-relative variant of the same dest_dir redirection"
- input: 'merge_pcap_files(output_dir="/home/user/.aws/")'
expected: triggered
description: "Sibling export-family function redirected to the AWS credentials directory"
- input: '{"export_dir": "~/.gnupg/"}'
expected: triggered
description: "JSON-style tool-args export_dir redirected to the GnuPG directory"
true_negatives:
- input: 'dest_dir="/home/user/Downloads/"'
expected: not_triggered
description: "Destination directory pointed at an ordinary Downloads folder"
- input: "output_dir=/tmp/pcap_exports/"
expected: not_triggered
description: "Destination directory pointed at an ordinary temp export folder"