Two safety vulnerabilities have been disclosed within the open-source Traccar GPS monitoring system that might be probably exploited by unauthenticated attackers to attain distant code execution beneath sure circumstances.
Each the vulnerabilities are path traversal flaws and might be weaponized if visitor registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally mentioned.
A short description of the shortcomings is as follows –
- CVE-2024-24809 (CVSS rating: 8.5) – Path Traversal: ‘dir/../../filename’ and unrestricted add of file with harmful kind
- CVE-2024-31214 (CVSS rating: 9.7) – Unrestricted file add vulnerability in gadget picture add might result in distant code execution
“The web results of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place recordsdata with arbitrary content material anyplace on the file system,” Sunkavally mentioned. “Nonetheless an attacker solely has partial management over the filename.”
The problems need to do with how this system handles gadget picture file uploads, successfully permitting an attacker to overwrite sure recordsdata on the file system and set off code execution. This consists of recordsdata matching the beneath naming format –
- gadget.ext, the place the attacker can management ext, however there MUST be an extension
- blah”, the place the attacker can management blah however the filename should finish with a double quote
- blah1″;blah2=blah3, the place the attacker can management blah1, blah2, and blah3, however the double quote semicolon sequence and equals image MUST be current
In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the trail traversal within the Content material-Kind header to add a crontab file and procure a reverse shell on the attacker host.
This assault methodology, nevertheless, doesn’t work on Debian/Ubuntu-based Linux methods on account of file naming restrictions that bar crontab recordsdata from having durations or double quotes.
An alternate mechanism entails benefiting from Traccar being put in as a root-level person to drop a kernel module or configuring an udev rule to run an arbitrary command each time a {hardware} occasion is raised.
On vulnerable Home windows situations, distant code execution may be achieved by putting a shortcut (LNK) file named “gadget.lnk” within the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp folder, which will get subsequently executed when any sufferer person logs into the Traccar host.
Traccar variations 5.1 to five.12 are susceptible to CVE-2024-31214 and CVE-2024-2809. The problems have been addressed with the discharge of Traccar 6 in April 2024 which turns off self-registration by default, thereby decreasing the assault floor.
“If the registration setting is true, readOnly is fake, and deviceReadonly is fake, then an unauthenticated attacker can exploit these vulnerabilities,” Sunkavally mentioned. “These are the default settings for Traccar 5.”
