Two security vulnerabilities were discovered in the open source code Trakar A GPS tracking system that can potentially be used by unauthenticated attackers to achieve remote code execution under certain circumstances.
Both vulnerabilities are traversal flaws and could be weapons if guest logging is enabled, which is the default configuration for Traccar 5, said Horizon3.ai researcher Naveen Sankavali.
A brief description of the disadvantages is as follows –
- CVE-2024-24809 (CVSS Score: 8.5) – Traversing the path: ‘dir/../../filename’ and downloading an unsafe type file indefinitely
- CVE-2024-31214 (CVSS Score: 9.7) – Unrestricted file download vulnerability when loading a device image could lead to remote code execution
“The end result of CVE-2024-31214 and CVE-2024-24809 is that an attacker could place files with arbitrary content anywhere on the file system,” Sankavali said. said. “However, the attacker only has partial control over the filename.”
The issues are related to the way the program handles the download of the device image file, effectively allowing an attacker to overwrite certain files on the file system and trigger code execution. This includes files that conform to the naming format below –
- device.ext, where an attacker can control ext, but MUST be an extension
- blah”, where an attacker can run blah, but the filename must end with double quotes
- blah1″;blah2=blah3, where an attacker can control blah1, blah2, and blah3, but MUST contain a sequence of dot-comma-quotes and an equals character
In a hypothetical proof of concept (PoC) developed by Horizon3.ai, an adversary could use path traversal in the Content-Type header to load a crontab file and obtain a reverse shell on the attacker’s host.
This attack method, however, does not work on Debian/Ubuntu-based Linux systems due to filename restrictions that prohibit crontab files from having periods or double quotes.
An alternative mechanism involves taking advantage of Traccar installed as the root user to remove the kernel module or udev rule setting run an arbitrary command whenever a hardware event occurs.
On vulnerable instances of Windows, remote code execution can also be achieved by placing a shortcut file (LNK) named “device.lnk” in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder, which is then run when any user -the victim enters the Traccar host.
Traccar versions 5.1 through 5.12 are vulnerable to CVE-2024-31214 and CVE-2024-2809. The issues were addressed in the April 2024 release of Traccar 6, which disables self-registration by default, thereby reducing the attack surface.
“If the logging setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker could exploit these vulnerabilities,” Sankavali said. “These are the default settings for Traccar 5.”
