Security Vulnerability Disclosure: June 26th, 2017
On June 26th, 2017 we made an immediate hot-fix security release to address a critical application bug that allowed unauthenticated users the ability to execute arbitrary code aganist any server running on Pterodactyl Panel. At the time this incident was determined to be too significant to warrant an immediate full-disclosure and we made only basic detail available encouraging all users to update immediately. As we have now passed our cut-off date that we announced, a full disclosure will be happening in this post.
Due to an implementation in the jQuery based terminal we were using, anything that was passed inside of double square brackets was determined to be a new command, and was executed as such. This exploit hinged on a user loading the web-console within Pterodactyl to execute any commands sorrounded by brackets. As soon as this bug was reported I took immediate action to narrow down the exact scope of the bug, and determine if it was isolated to specific games and if it required specific knowledge to execute. Unfortunately it quickly because clear that all software running via the Panel was at risk, and that no special knowledge was required in order to execute commands. The full attack vector quickly became more obvious as any commands in the server’s console history would also be executed, even if the console was not open at the time of the command execution.
This exploit did not require any access to the panel, and any user who could send input to the server that was rendered in a log would be able to execute arbitrary commands aganist the game server. Commands simply needed to be sorrounded in square brackets, and it did not matter where in the line they were. An example of this exploit is below.
this is my [[op Username]] text
In this instance, the output would be parsed by the web terminal to execute
op Username as a second command as the currently authenticated panel user. This execution also caused the original message to be lost in most cases. Because of the way the terminal loaded messages on page load, any commands in the console buffer history were also executed. This allowed a malicious user to send a command, and even if the terminal was not currently open, as long as the message remainined in the scrollback history, it would be executed when the page was loaded.
Narrowing down the scope of this bug to determine which versions of the Panel were affected it discovered that the bug was introduced in
v0.4.0 resulting in a significant vulnerability that affected nearly every panel that was being operated.
Upon discovery I attempted to find a solution that would allow us to continue using the web-console that we were already using, but all solutions hinged on client-side JS, and were not something I felt comfortable pushing onto production environments, nor was I positive that it would cover all edge cases. The jQuery terminal plugin in use did provide functionality to escape brackets, however that caused color formatting to be escaped which made it impossible to filter ANSI codes. Because of these issues, I made the decision to completely strip the web-terminal from the project and a few hours later pushed up a hot-fix using a custom written terminal that did not execute any commands, it simply took the output and pasted it to the browser (escaping code as necessary, and handling ANSI color codes).
This fix was pushed later that night, and a subsequent patch to address residual JS issues and formatting a few days later.
In all previous software bugs, some level of Panel access has been required, and the bugs had been deemed to be something that could be disclosed at the time of the bug-fix release. This bug highlighted a danger in relying on external software to handle different actions, and also highlights a danger in not fully reading the documentation for software being used. During the review phase of this incident, I discovered a small amount of documentation for the web terminal that indicated this behavior was possible that was not seen during the initial implementation.
One of the core principals of this software is to be transparent about any security issues that arise in the course of development. I aim to never make these notifications, unfortunately that has not been the case in recent months. I welcome any questions, comments, or concerns that you might have about this announcement.
June 26th @ 15:00 CST — Support Team member is alerted to the presence of a vulnerability in command handling process. Project team is notifed immediately, basic testing performed to verify legitimacy of bug.
18:00 CST — Full investigation into source of bug is launched, patching begins immediately.
22:36 CST — Bug is patched in
develop branch, and releases are prepared.
23:08 CST —
v0.6.3 release is pushed to GitHub and made available to all users, minutes later notification is made in Discord to alert all inidividuals on the server of the urgency. CDN files updated to reflect a new update that began propigating to all active Panels.
July 27th — Second notification made in Discord to alert users during more active peak times of the security disclosure, and to urge them to update immediately.
July 30th —
v0.6.4 released with a memo at the bottom to encourage updates. An email was sent to the mailing list to reach out to more individuals.
July 8th — Additional notification made in Discord to alert users to update pending this announcement.