CVE-2021-41129 in Pterodactyl
Summary
by MITRE • 10/07/2021
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `[email protected]__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/09/2021
CVE-2021-41129 represents a critical authentication bypass vulnerability in the Pterodactyl game server management panel that leverages flawed session handling during two-factor authentication processes. This vulnerability operates through a cache-based manipulation attack where malicious users can exploit the system's reliance on user-controllable input parameters to reference arbitrary cache values containing user identifiers. The flaw exists within the email__invoke method that processes two-factor authentication requests, specifically targeting the confirmation_token parameter which is expected to be a 64-character alphanumeric string referencing cache values containing user_id data. The vulnerability stems from the system's failure to properly validate cache key inputs, allowing attackers to substitute cache keys that contain only numeric values with those that reference legitimate user accounts through the caching mechanism. This design flaw creates a path where any cache entry containing numeric data can be exploited by attackers who understand the system's cache structure.
The technical implementation of this vulnerability follows a multi-step attack pattern that requires specific conditions to succeed. First, attackers must identify cache keys that store numeric user identifiers within the Pterodactyl panel's caching system, which typically involves understanding the application's internal cache management. Second, the target account must have two-factor authentication enabled, as the authentication flow would otherwise terminate with an exception for accounts without 2FA. Third, attackers must possess the ability to brute force the valid two-factor authentication token for the target user, since the system lacks rate-limiting controls that would prevent automated attempts. The vulnerability's severity is amplified by the absence of proper input validation and the predictable nature of cache key generation, making it possible for attackers to systematically discover and exploit these cache references. This attack pattern aligns with CWE-284 access control vulnerabilities and represents a classic case of insecure direct object reference where user-controllable parameters directly reference internal system objects.
The operational impact of CVE-2021-41129 extends beyond simple unauthorized access to include potential account takeover and privilege escalation scenarios within the Pterodactyl management environment. Attackers could potentially gain access to multiple user accounts by leveraging the cache-based referencing mechanism, particularly targeting high-value accounts such as administrators or users with extensive server permissions. The vulnerability's exploitation is particularly concerning because it operates at the authentication layer, meaning successful exploitation would provide attackers with full access to the targeted user's panel functionality including server management, configuration changes, and potentially access to underlying server resources. The lack of rate limiting during the two-factor authentication process creates a significant attack surface that allows for automated brute force attempts, making this vulnerability particularly dangerous in environments with multiple user accounts. This vulnerability maps to ATT&CK technique T1078 legitimate credentials and T1566 credential access, representing a sophisticated attack vector that combines authentication bypass with credential harvesting.
The mitigation strategy for CVE-2021-41129 involved a fundamental redesign of the authentication flow to eliminate user-controllable inputs from the critical session handling pathway. The solution implemented an encrypted session store mechanism that prevents attackers from manipulating session data through input parameters, effectively removing the cache-based referencing vulnerability entirely. This approach addresses the root cause by ensuring that session identifiers and user authentication data cannot be manipulated by external inputs, aligning with security best practices for session management and authentication flow design. The fix also included comprehensive code auditing to identify and remediate similar vulnerabilities throughout the application, demonstrating a proactive approach to vulnerability management. Organizations using Pterodactyl should prioritize immediate patching of this vulnerability and implement additional monitoring for unauthorized access attempts. The remediation approach reflects the principle of least privilege and input validation, ensuring that authentication data flows remain protected from user manipulation. This vulnerability highlights the importance of proper session management and cache validation in web applications, particularly in authentication systems where the integrity of session data directly impacts system security.