CVE-2021-41129
published 2021-10-06CVE-2021-41129: Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token`…
PriorityP354high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
1.70%
74.3th percentile
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pterodactyl | panel | — | — |
| pterodactyl | panel | >= 1.0.0 < 1.6.2 | 1.6.2 |
| pterodactyl | panel | >= 1.0.0 < 1.6.2 | 1.6.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification
ghsa·2021-10-04
CVE-2021-41129 [HIGH] CWE-287 Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification
Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification
A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user.
## Impact
Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying t
OSV
Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification
osv·2021-10-04
CVE-2021-41129 [HIGH] Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification
Pterodactyl Panel vulnerable to authentication bypass due to improper user-provided security token verification
A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user.
## Impact
Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977https://github.com/pterodactyl/panel/releases/tag/v1.6.2https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977https://github.com/pterodactyl/panel/releases/tag/v1.6.2https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4
2021-10-06
Published