8.9 C
New York
Monday, March 10, 2025

Essential Flaws in Traccar GPS System Expose Customers to Distant Assaults


Aug 26, 2024Ravie LakshmananSoftware program Safety / Vulnerability

Essential Flaws in Traccar GPS System Expose Customers to Distant Assaults

Two safety vulnerabilities have been disclosed within the open-source Traccar GPS monitoring system that may very well be probably exploited by unauthenticated attackers to attain distant code execution underneath sure circumstances.

Each the vulnerabilities are path traversal flaws and may very well be weaponized if visitor registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally stated.

A quick description of the shortcomings is as follows –

  • CVE-2024-24809 (CVSS rating: 8.5) – Path Traversal: ‘dir/../../filename’ and unrestricted add of file with harmful sort
  • CVE-2024-31214 (CVSS rating: 9.7) – Unrestricted file add vulnerability in gadget picture add may result in distant code execution
Cybersecurity

“The online results of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place recordsdata with arbitrary content material anyplace on the file system,” Sunkavally stated. “Nonetheless an attacker solely has partial management over the filename.”

The problems need to do with how this system handles gadget picture file uploads, successfully permitting an attacker to overwrite sure recordsdata on the file system and set off code execution. This consists of recordsdata matching the under naming format –

  • gadget.ext, the place the attacker can management ext, however there MUST be an extension
  • blah”, the place the attacker can management blah however the filename should finish with a double quote
  • blah1″;blah2=blah3, the place the attacker can management blah1, blah2, and blah3, however the double quote semicolon sequence and equals image MUST be current
Traccar GPS System

In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the trail traversal within the Content material-Kind header to add a crontab file and procure a reverse shell on the attacker host.

This assault methodology, nevertheless, doesn’t work on Debian/Ubuntu-based Linux methods as a result of file naming restrictions that bar crontab recordsdata from having durations or double quotes.

Cybersecurity

Another mechanism entails profiting from Traccar being put in as a root-level person to drop a kernel module or configuring an udev rule to run an arbitrary command each time a {hardware} occasion is raised.

On prone Home windows situations, distant code execution may be achieved by inserting a shortcut (LNK) file named “gadget.lnk” within the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp folder, which will get subsequently executed when any sufferer person logs into the Traccar host.

Traccar variations 5.1 to five.12 are susceptible to CVE-2024-31214 and CVE-2024-2809. The problems have been addressed with the discharge of Traccar 6 in April 2024 which turns off self-registration by default, thereby lowering the assault floor.

“If the registration setting is true, readOnly is fake, and deviceReadonly is fake, then an unauthenticated attacker can exploit these vulnerabilities,” Sunkavally stated. “These are the default settings for Traccar 5.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles