Impact
Users who are marked as the owner of a server on the Panel — or have been granted the proper subuser permissions on any server — are able to perform the following actions against every server instance in Pterodactyl without proper authentication controls:
- Trigger a specific schedule's execution.
- Rotate the password for, and thusly reveal the connection credentials for a game-server database.
- View the details of any backup that exists for a server, and subsequently trigger the deletion of these backups.
At this time we have no reason to believe any other parts of Pterodactyl were affected by this vulnerability including game console access, power controls, file management, sub-user management, or any other system not explicitly listed above. While the existence of a backup could be determined there was no breach of the authentication mechanisms in place preventing unauthorized users from downloading those backups. In addition to patching the underlying logic failure that allowed this vulnerability to happen an additional array of integration tests have been rolled out to guard all endpoints, including those that were not affected, against any future regressions relating to this issue.
Additional Details
Due to the way the system is configured it is highly unlikely that a user would be able to correctly guess a UUID for backups and be able to exploit this against such targets, however we cannot safely say that it can't happen. Additionally, in order to access the endpoints for database management a user would need to have a valid HashID generated for that database. These are not cryptographically secure values however, and given enough time and effort a determined individual may be able to generate valid sequences.
However, all of the above statements should be disregarded if a user had any level of subuser access to a server and could find those IDs using their normally acquired permission set.
Patches
Users should upgrade to v1.2.2 immediately in order to address this vulnerability.
Workarounds
No workarounds are available at this time, upgrading is the only recommended option.
For more information
If you have any questions or comments about this advisory please reach out to Tactical Fish#8008 on Discord or email dane ât pterodactyl.io.
Impact
Users who are marked as the owner of a server on the Panel — or have been granted the proper subuser permissions on any server — are able to perform the following actions against every server instance in Pterodactyl without proper authentication controls:
At this time we have no reason to believe any other parts of Pterodactyl were affected by this vulnerability including game console access, power controls, file management, sub-user management, or any other system not explicitly listed above. While the existence of a backup could be determined there was no breach of the authentication mechanisms in place preventing unauthorized users from downloading those backups. In addition to patching the underlying logic failure that allowed this vulnerability to happen an additional array of integration tests have been rolled out to guard all endpoints, including those that were not affected, against any future regressions relating to this issue.
Additional Details
Due to the way the system is configured it is highly unlikely that a user would be able to correctly guess a UUID for backups and be able to exploit this against such targets, however we cannot safely say that it can't happen. Additionally, in order to access the endpoints for database management a user would need to have a valid
HashIDgenerated for that database. These are not cryptographically secure values however, and given enough time and effort a determined individual may be able to generate valid sequences.However, all of the above statements should be disregarded if a user had any level of subuser access to a server and could find those IDs using their normally acquired permission set.
Patches
Users should upgrade to
v1.2.2immediately in order to address this vulnerability.Workarounds
No workarounds are available at this time, upgrading is the only recommended option.
For more information
If you have any questions or comments about this advisory please reach out to
Tactical Fish#8008on Discord or emaildane ât pterodactyl.io.