CVE-2021-41129

Name of the Vulnerable Software and Affected Versions Pterodactyl (affected versions not specified)

Description A malicious user can modify the contents of a confirmation token input during the two-factor authentication process to reference a cache value not associated with the login attempt. This can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled and provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication, a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. The authentication flaw is present in the LoginCheckpointController@ invoke method, which handles two-factor authentication for a user. This controller looks for a request input parameter called confirmation token, which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a user id value.

Recommendations To mitigate this vulnerability, the underlying authentication logic was changed to use an encrypted session store that the user is unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere. At the moment, there is no information about a newer version that contains a fix for this vulnerability.