Two safety vulnerabilities have been disclosed within the open-source Traccar GPS monitoring system that may very well be probably exploited by unauthenticated attackers to attain distant code execution underneath sure circumstances.
Each the vulnerabilities are path traversal flaws and may very well be weaponized if visitor registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally stated.
A quick description of the shortcomings is as follows –
- CVE-2024-24809 (CVSS rating: 8.5) – Path Traversal: ‘dir/../../filename’ and unrestricted add of file with harmful sort
- CVE-2024-31214 (CVSS rating: 9.7) – Unrestricted file add vulnerability in gadget picture add may result in distant code execution
“The online results of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place recordsdata with arbitrary content material anyplace on the file system,” Sunkavally stated. “Nonetheless an attacker solely has partial management over the filename.”
The problems need to do with how this system handles gadget picture file uploads, successfully permitting an attacker to overwrite sure recordsdata on the file system and set off code execution. This consists of recordsdata matching the under naming format –
- gadget.ext, the place the attacker can management ext, however there MUST be an extension
- blah”, the place the attacker can management blah however the filename should finish with a double quote
- blah1″;blah2=blah3, the place the attacker can management blah1, blah2, and blah3, however the double quote semicolon sequence and equals image MUST be current
In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the trail traversal within the Content material-Kind header to add a crontab file and procure a reverse shell on the attacker host.
This assault methodology, nevertheless, doesn’t work on Debian/Ubuntu-based Linux methods as a result of file naming restrictions that bar crontab recordsdata from having durations or double quotes.
Another mechanism entails profiting from Traccar being put in as a root-level person to drop a kernel module or configuring an udev rule to run an arbitrary command each time a {hardware} occasion is raised.
On prone Home windows situations, distant code execution may be achieved by inserting a shortcut (LNK) file named “gadget.lnk” within the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp folder, which will get subsequently executed when any sufferer person logs into the Traccar host.
Traccar variations 5.1 to five.12 are susceptible to CVE-2024-31214 and CVE-2024-2809. The problems have been addressed with the discharge of Traccar 6 in April 2024 which turns off self-registration by default, thereby lowering the assault floor.
“If the registration setting is true, readOnly is fake, and deviceReadonly is fake, then an unauthenticated attacker can exploit these vulnerabilities,” Sunkavally stated. “These are the default settings for Traccar 5.”