Two security vulnerabilities have been disclosed within the open-source Traccar GPS monitoring system that might be probably exploited by unauthenticated attackers to realize distant code execution beneath sure circumstances.
Each the vulnerabilities are path traversal flaws and might be weaponized if visitor registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally stated.
A quick description of the shortcomings is as follows –
- CVE-2024-24809 (CVSS rating: 8.5) – Path Traversal: ‘dir/../../filename’ and unrestricted add of file with harmful sort
- CVE-2024-31214 (CVSS rating: 9.7) – Unrestricted file add vulnerability in machine picture add may result in distant code execution
“The online results of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place information with arbitrary content material anyplace on the file system,” Sunkavally stated. “Nonetheless an attacker solely has partial management over the filename.”
The problems need to do with how this system handles machine picture file uploads, successfully permitting an attacker to overwrite sure information on the file system and set off code execution. This contains information matching the beneath naming format –
- machine.ext, the place the attacker can management ext, however there MUST be an extension
- blah”, the place the attacker can management blah however the filename should finish with a double quote
- blah1″;blah2=blah3, the place the attacker can management blah1, blah2, and blah3, however the double quote semicolon sequence and equals image MUST be current
In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the trail traversal within the Content material-Kind header to add a crontab file and procure a reverse shell on the attacker host.
This assault methodology, nevertheless, doesn’t work on Debian/Ubuntu-based Linux methods as a consequence of file naming restrictions that bar crontab information from having intervals or double quotes.
Another mechanism entails benefiting from Traccar being put in as a root-level person to drop a kernel module or configuring an udev rule to run an arbitrary command each time a {hardware} occasion is raised.
On prone Home windows cases, distant code execution is also achieved by putting a shortcut (LNK) file named “machine.lnk” within the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp folder, which will get subsequently executed when any sufferer person logs into the Traccar host.
Traccar variations 5.1 to five.12 are weak to CVE-2024-31214 and CVE-2024-2809. The problems have been addressed with the discharge of Traccar 6 in April 2024 which turns off self-registration by default, thereby lowering the assault floor.
“If the registration setting is true, readOnly is fake, and deviceReadonly is fake, then an unauthenticated attacker can exploit these vulnerabilities,” Sunkavally stated. “These are the default settings for Traccar 5.”
