Headline
CVE-2023-25168: server(filesystem): Delete tweaks · pterodactyl/wings@429ac62
Wings is Pterodactyl’s server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with GHSA-p8r3-83r8-jwj5 to overwrite files on the host system. In order to use this exploit, an attacker must have an existing “server” allocated and controlled by Wings. This vulnerability has been resolved in version v1.11.4 of Wings, and has been back-ported to the 1.7 release series in v1.7.4. Anyone running v1.11.x should upgrade to v1.11.4 and anyone running v1.7.x should upgrade to v1.7.4. There are no known workarounds for this issue.
@@ -537,6 +537,80 @@ func TestFilesystem_Delete(t *testing.T) { } })
g.It("deletes a symlink but not it’s target within the root directory", func() { // Symlink to a file inside the root directory. err := os.Symlink(filepath.Join(rfs.root, “server/source.txt”), filepath.Join(rfs.root, “server/symlink.txt”)) g.Assert(err).IsNil()
// Delete the symlink itself. err = fs.Delete(“symlink.txt”) g.Assert(err).IsNil()
// Ensure the symlink was deleted. _, err = os.Lstat(filepath.Join(rfs.root, “server/symlink.txt”)) g.Assert(err).IsNotNil()
// Ensure the symlink target still exists. _, err = os.Lstat(filepath.Join(rfs.root, “server/source.txt”)) g.Assert(err).IsNil() })
g.It("does not delete files symlinked outside of the root directory", func() { // Create a file outside the root directory. err := rfs.CreateServerFileFromString("/…/source.txt", “test content”) g.Assert(err).IsNil()
// Create a symlink to the file outside the root directory. err = os.Symlink(filepath.Join(rfs.root, “source.txt”), filepath.Join(rfs.root, “/server/symlink.txt”)) g.Assert(err).IsNil()
// Delete the symlink. (This should pass as we will delete the symlink itself, not it’s target) err = fs.Delete(“symlink.txt”) g.Assert(err).IsNil()
// Ensure the file outside the root directory still exists. _, err = os.Lstat(filepath.Join(rfs.root, “source.txt”)) g.Assert(err).IsNil() })
g.It("does not delete files symlinked through a directory outside of the root directory", func() { // Create a directory outside the root directory. err := os.Mkdir(filepath.Join(rfs.root, “foo”), 0o755) g.Assert(err).IsNil()
// Create a file inside the directory that is outside the root. err = rfs.CreateServerFileFromString("/…/foo/source.txt", “test content”) g.Assert(err).IsNil()
// Symlink the directory that is outside the root to a file inside the root. err = os.Symlink(filepath.Join(rfs.root, “foo”), filepath.Join(rfs.root, “server/symlink”)) g.Assert(err).IsNil()
// Delete a file inside the symlinked directory. err = fs.Delete(“symlink/source.txt”) g.Assert(err).IsNotNil() g.Assert(IsErrorCode(err, ErrCodePathResolution)).IsTrue()
// Ensure the file outside the root directory still exists. _, err = os.Lstat(filepath.Join(rfs.root, “foo/source.txt”)) g.Assert(err).IsNil() })
g.It("returns an error when trying to delete a non-existent file symlinked through a directory outside of the root directory", func() { // Create a directory outside the root directory. err := os.Mkdir(filepath.Join(rfs.root, “foo2”), 0o755) g.Assert(err).IsNil()
// Symlink the directory that is outside the root to a file inside the root. err = os.Symlink(filepath.Join(rfs.root, “foo2”), filepath.Join(rfs.root, “server/symlink”)) g.Assert(err).IsNil()
// Delete a file inside the symlinked directory. err = fs.Delete(“symlink/source.txt”) g.Assert(err).IsNotNil() g.Assert(IsErrorCode(err, ErrCodePathResolution)).IsTrue() })
g.AfterEach(func() { rfs.reset()
Related news
### Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5) to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Information on how the exploitation of this vulnerability works will be released on February 24th, 2023 in North America. ### Patches This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. ### Workarounds None at this time.