CVE-2023-32080 in Wings
Summary
by MITRE • 05/11/2023
Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script executes code supplied by the user (either through environment variables, or commands that execute commands based off of user data). This vulnerability has been resolved in version `v1.11.6` of Wings, and has been back-ported to the 1.7 release series in `v1.7.5`. Anyone running `v1.11.x` should upgrade to `v1.11.6` and anyone running `v1.7.x` should upgrade to `v1.7.5`.
There are no workarounds aside from upgrading. Running Wings with a rootless container runtime may mitigate the severity of any attacks, however the majority of users are using container runtimes that run as root as per the Wings documentation. SELinux may prevent attackers from performing certain operations against the host system, however privileged containers have a lot of freedom even on systems with SELinux enabled.
It should be noted that this was a known attack vector, for attackers to easily exploit this attack it would require compromising an administrator account on a Panel. However, certain eggs (the data structure that holds the install scripts that get passed to Wings) have an issue where they are unknowingly executing shell commands with escalated privileges provided by untrusted user data.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2023
The vulnerability identified as CVE-2023-32080 affects Wings, the server control plane component of the Pterodactyl Panel ecosystem, representing a critical privilege escalation flaw that enables attackers to gain unauthorized access to underlying host systems. This vulnerability specifically impacts versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6, creating a persistent security risk for deployments running these affected releases. The flaw stems from improper handling of user-supplied data within server installation scripts, particularly when these scripts execute commands based on environment variables or user-provided inputs. The technical implementation allows for command injection scenarios where untrusted data flows directly into shell execution contexts without adequate sanitization or validation mechanisms.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete host system compromise when attackers can manipulate installation scripts or when these scripts execute code supplied by users. This represents a significant deviation from the expected security boundaries between containerized server environments and the underlying host infrastructure. According to CWE classification, this vulnerability aligns with CWE-78, which addresses improper neutralization of special elements used in OS commands, and CWE-20, which covers insecure input handling. The attack vector requires an initial compromise of administrative credentials on the Panel system to fully exploit the vulnerability, yet the underlying design flaw creates a dangerous escalation path that could be leveraged by attackers who have already achieved partial system access.
The remediation strategy mandates immediate upgrade to version 1.11.6 for users running v1.11.x releases and version 1.7.5 for those operating v1.7.x deployments, as these versions contain the necessary patches to address the command injection vulnerabilities. Security professionals should note that while running Wings with rootless container runtimes might reduce the severity of potential attacks, this mitigation is not universally applicable since most Pterodactyl deployments follow documentation guidelines that require root-level container operations. Additionally, while SELinux policies may provide some protection against specific host-level operations, privileged containers maintain substantial freedom of action even on systems with SELinux enabled, limiting the effectiveness of mandatory access controls in this scenario. The vulnerability represents a fundamental flaw in the design of how user data is processed within installation scripts, where trust boundaries between administrative interfaces and execution environments have been improperly established, creating a dangerous pathway for attackers to escalate privileges from containerized server environments to full host system control.