Skip to content

Authenticated user can perform actions against servers they do not have access to

Critical
DaneEveritt published GHSA-g8gw-6j32-8w7g Jan 20, 2021

Package

No package listed

Affected versions

>= 1.0.0

Patched versions

1.2.2

Description

Impact

Users who are marked as the owner of a server on the Panel — or have been granted the proper subuser permissions on any server — are able to perform the following actions against every server instance in Pterodactyl without proper authentication controls:

  • Trigger a specific schedule's execution.
  • Rotate the password for, and thusly reveal the connection credentials for a game-server database.
  • View the details of any backup that exists for a server, and subsequently trigger the deletion of these backups.

At this time we have no reason to believe any other parts of Pterodactyl were affected by this vulnerability including game console access, power controls, file management, sub-user management, or any other system not explicitly listed above. While the existence of a backup could be determined there was no breach of the authentication mechanisms in place preventing unauthorized users from downloading those backups. In addition to patching the underlying logic failure that allowed this vulnerability to happen an additional array of integration tests have been rolled out to guard all endpoints, including those that were not affected, against any future regressions relating to this issue.

Additional Details

Due to the way the system is configured it is highly unlikely that a user would be able to correctly guess a UUID for backups and be able to exploit this against such targets, however we cannot safely say that it can't happen. Additionally, in order to access the endpoints for database management a user would need to have a valid HashID generated for that database. These are not cryptographically secure values however, and given enough time and effort a determined individual may be able to generate valid sequences.

However, all of the above statements should be disregarded if a user had any level of subuser access to a server and could find those IDs using their normally acquired permission set.

Patches

Users should upgrade to v1.2.2 immediately in order to address this vulnerability.

Workarounds

No workarounds are available at this time, upgrading is the only recommended option.

For more information

If you have any questions or comments about this advisory please reach out to Tactical Fish#8008 on Discord or email dane ât pterodactyl.io.

Severity

Critical

CVE ID

No known CVE

Weaknesses

No CWEs