Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances.
Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally said.
A brief description of the shortcomings is as follows –
- CVE-2024-24809 (CVSS score: 8.5) – Path Traversal: ‘dir/../../filename’ and unrestricted upload of file with dangerous type
- CVE-2024-31214 (CVSS score: 9.7) – Unrestricted file upload vulnerability in device image upload could lead to remote code execution
“The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system,” Sunkavally said. “However an attacker only has partial control over the filename.”
The issues have to do with how the program handles device image file uploads, effectively allowing an attacker to overwrite certain files on the file system and trigger code execution. This includes files matching the below naming format –
- device.ext, where the attacker can control ext, but there MUST be an extension
- blah”, where the attacker can control blah but the filename must end with a double quote
- blah1″;blah2=blah3, where the attacker can control blah1, blah2, and blah3, but the double quote semicolon sequence and equals symbol MUST be present
In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the path traversal in the Content-Type header to upload a crontab file and obtain a reverse shell on the attacker host.
This attack method, however, does not work on Debian/Ubuntu-based Linux systems due to file naming restrictions that bar crontab files from having periods or double quotes.
An alternative mechanism entails taking advantage of Traccar being installed as a root-level user to drop a kernel module or configuring an udev rule to run an arbitrary command every time a hardware event is raised.
On susceptible Windows instances, remote code execution could also be achieved by placing a shortcut (LNK) file named “device.lnk” in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder, which gets subsequently executed when any victim user logs into the Traccar host.
Traccar versions 5.1 to 5.12 are vulnerable to CVE-2024-31214 and CVE-2024-2809. The issues have been addressed with the release of Traccar 6 in April 2024 which turns off self-registration by default, thereby reducing the attack surface.
“If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities,” Sunkavally said. “These are the default settings for Traccar 5.”