Traccar GPS System Exposed to Critical Vulnerabilities Leading to Remote Code Execution
Recent disclosures have unveiled two significant security vulnerabilities within the open-source Traccar GPS tracking system, potentially allowing unauthenticated attackers to execute remote code under specific circumstances. These vulnerabilities, identified by Horizon3.ai researcher Naveen Sunkavally, are primarily path traversal flaws that could be exploited when guest registration is enabled—a default setting for Traccar version 5.
The vulnerabilities, catalogued as CVE-2024-24809 and CVE-2024-31214, carry alarming CVSS scores of 8.5 and 9.7, respectively, indicating a high severity level. CVE-2024-24809 pertains to a path traversal issue that permits attackers to manipulate file uploads by using malicious naming conventions, allowing potentially harmful files to be uploaded without restriction. Meanwhile, CVE-2024-31214 presents an unrestricted file upload flaw associated with device image uploads, which could culminate in remote code execution.
Sunkavally states that these weaknesses enable an attacker to plant files with arbitrary content in any location on the file system, although some limitations on filename control apply. The vulnerabilities arise predominantly from the manner in which the system processes image file uploads, leading to the possibility of overwriting existing files and executing any embedded code. Specifically, file naming scenarios that attackers can exploit include variations that manipulate file extensions or contain specific string patterns, which could facilitate unauthorized actions.
In a theoretical proof-of-concept developed by Horizon3.ai, it was demonstrated that an adversary could leverage the path traversal vulnerability within the Content-Type header to upload a crontab file designed to enable a reverse shell connection back to the attacker’s host. Nevertheless, this method does not function effectively on Debian/Ubuntu-based systems due to stringent file naming constraints forbidding certain characters, including periods and double quotes.
Moreover, in cases involving installations running as root users, attackers could exploit these vulnerabilities to introduce a kernel module or set up an udev rule that executes arbitrary commands triggered by hardware events. For Windows-based instances, executing a remote code attack could be performed by placing a shortcut file, named "device.lnk," within the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder, which would then activate upon user login.
Versions 5.1 to 5.12 of Traccar are reported to be vulnerable to these exploits, with the developers addressing these issues in the release of Traccar version 6 in April 2024. This update not only rectified the vulnerabilities but also modified default settings to deactivate self-registration, thus minimizing the available attack surface. Sunkavally reaffirms that maintaining the default settings for Traccar 5 leaves systems susceptible to multiple avenues of attack.
The vulnerabilities in Traccar follow a concerning trend of finding critical flaws in widely used software applications. Adversaries could employ tactics delineated within the MITRE ATT&CK framework, notably utilizing techniques for initial access through vulnerabilities and persistent methods for maintaining access post-exploitation. With cybersecurity risks continually evolving, businesses must remain vigilant and implement best practices to thwart such potential threats effectively.
