Two safety vulnerabilities have been disclosed within the open-source Traccar GPS monitoring system that may very well be doubtlessly exploited by unauthenticated attackers to attain distant code execution beneath sure circumstances.
Each the vulnerabilities are path traversal flaws and may very well be weaponized if visitor registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally stated.
A quick description of the shortcomings is as follows –
- CVE-2024-24809 (CVSS rating: 8.5) – Path Traversal: ‘dir/../../filename’ and unrestricted add of file with harmful kind
- CVE-2024-31214 (CVSS rating: 9.7) – Unrestricted file add vulnerability in machine picture add may result in distant code execution
“The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system,” Sunkavally stated. “However an attacker only has partial control over the filename.”
The problems should do with how this system handles machine picture file uploads, successfully permitting an attacker to overwrite sure recordsdata on the file system and set off code execution. This consists of recordsdata matching the beneath naming format –
- machine.ext, the place the attacker can management ext, however there MUST be an extension
- blah”, the place the attacker can management blah however the filename should finish with a double quote
- blah1″;blah2=blah3, the place the attacker can management blah1, blah2, and blah3, however the double quote semicolon sequence and equals image MUST be current
In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the trail traversal within the Content material-Kind header to add a crontab file and acquire a reverse shell on the attacker host.
This assault methodology, nonetheless, doesn’t work on Debian/Ubuntu-based Linux methods on account of file naming restrictions that bar crontab recordsdata from having durations or double quotes.
An alternate mechanism entails profiting from Traccar being put in as a root-level person to drop a kernel module or configuring an udev rule to run an arbitrary command each time a {hardware} occasion is raised.
On prone Home windows situations, distant code execution is also achieved by inserting a shortcut (LNK) file named “device.lnk” within the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp folder, which will get subsequently executed when any sufferer person logs into the Traccar host.
Traccar variations 5.1 to five.12 are weak to CVE-2024-31214 and CVE-2024-2809. The problems have been addressed with the discharge of Traccar 6 in April 2024 which turns off self-registration by default, thereby lowering the assault floor.
“If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities,” Sunkavally stated. “These are the default settings for Traccar 5.”
