Researchers Discover Critical Flaws in Traccar GPS System" - Dark Reading

 Critical Vulnerabilities in Traccar GPS System Expose Remote Code Execution Risks

There are significant security vulnerabilities in the Traccar GPS tracking system, identified as CVE-2024-31214 and CVE-2024-24809, have been disclosed, posing severe risks for systems running Traccar version 5. These vulnerabilities allow unauthenticated attackers to potentially execute remote code, leading to compromised systems and unauthorized access.

Understanding Traccar and the Vulnerabilities

Traccar is a popular open-source GPS tracking platform used for personal and fleet management. Built on Java and utilizing Jetty as its web server, Traccar facilitates device registration and tracking through various communication protocols. However, recent findings from Horizon3.ai reveal critical flaws in how Traccar handles device image file uploads.

The vulnerabilities are rooted in the device image upload feature introduced in Traccar 5.1. Specifically, they involve improper handling of file uploads, allowing attackers to exploit this functionality to execute remote code.

Detailed Vulnerability Analysis

1. CVE-2024-24809 (CVSS score: 8.5) - Path Traversal and Unrestricted File Upload

This vulnerability allows attackers to use path traversal techniques to manipulate file paths. By leveraging sequences like dir/../../filename, attackers can upload files to arbitrary locations on the server. Additionally, the unrestricted upload of files with potentially dangerous types exacerbates the risk, as it enables attackers to place malicious files on the system.

2. CVE-2024-31214 (CVSS score: 9.7) - Unrestricted File Upload Leading to Remote Code Execution

This flaw specifically affects the device image upload functionality. Attackers can exploit this vulnerability by manipulating the Content-Type header and file extensions, such as creating a file named device.html. The result is unauthorized file placement, which can lead to remote code execution on the affected system.

Technical Exploitation

The vulnerabilities exploit two main components:

• Device Unique ID: Attackers can use path traversal sequences to place files anywhere on the file system.
• Content-Type Header: By altering this header, attackers can set arbitrary file extensions, allowing for the creation of files with potentially harmful content.

Impact and Proof of Concept

A proof-of-concept (PoC) by Horizon3.ai demonstrates the potential impact of these vulnerabilities. For instance, an attacker could exploit the path traversal issue by uploading a crontab file via the Content-Type header, potentially obtaining a reverse shell. However, this method is ineffective on Debian/Ubuntu systems due to naming restrictions on crontab files.

On Windows systems, attackers could achieve remote code execution by placing a shortcut (LNK) file named device.lnk in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder. This file would execute whenever a user logs into the Traccar host.

Mitigation and Recommendations

Traccar versions 5.1 to 5.12 are vulnerable to these issues. To mitigate the risks:

1. Upgrade to Traccar 6: The latest version, released in April 2024, addresses these vulnerabilities by disabling self-registration by default, reducing the attack surface.

2. Review and Update Configurations: Ensure that registration settings are properly configured. If the registration setting is true, readOnly is false, and deviceReadonly is false, unauthenticated attackers could exploit these vulnerabilities.

By upgrading to the latest version and tightening security configurations, users can protect themselves from these critical vulnerabilities and reduce the risk of remote code execution.