Two safety vulnerabilities had been disclosed within the open-source Traccar GPS monitoring gadget which may be doubtlessly exploited by way of unauthenticated attackers to reach faraway code execution underneath sure cases.
Each the vulnerabilities are trail traversal flaws and might be weaponized if visitor registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally stated.
A short lived description of the shortcomings is as follows –
- CVE-2024-24809 (CVSS rating: 8.5) – Trail Traversal: ‘dir/../../filename’ and unrestricted add of record with unhealthy sort
- CVE-2024-31214 (CVSS rating: 9.7) – Unrestricted record add vulnerability in software symbol add may result in faraway code execution
“The online results of CVE-2024-31214 and CVE-2024-24809 is that an attacker can position recordsdata with arbitrary content material any place at the record gadget,” Sunkavally stated. “Then again an attacker most effective has partial keep an eye on over the filename.”
The problems must do with how this system handles software symbol record uploads, successfully permitting an attacker to overwrite sure recordsdata at the record gadget and cause code execution. This contains recordsdata matching the beneath naming structure –
- software.ext, the place the attacker can keep an eye on ext, however there MUST be an extension
- blah”, the place the attacker can keep an eye on blah however the filename should finish with a double quote
- blah1″;blah2=blah3, the place the attacker can keep an eye on blah1, blah2, and blah3, however the double quote semicolon collection and equals image MUST be provide
In a hypothetical proof-of-concept (PoC) devised by way of Horizon3.ai, an adversary can exploit the trail traversal within the Content material-Sort header to add a crontab record and procure a opposite shell at the attacker host.
This assault approach, alternatively, does no longer paintings on Debian/Ubuntu-based Linux programs because of record naming restrictions that bar crontab recordsdata from having sessions or double quotes.
Another mechanism includes benefiting from Traccar being put in as a root-level person to drop a kernel module or configuring an udev rule to run an arbitrary command each time a {hardware} match is raised.
On vulnerable Home windows circumstances, faraway code execution is also completed by way of striking a shortcut (LNK) record named “software.lnk” within the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp folder, which will get due to this fact performed when any sufferer person logs into the Traccar host.
Traccar variations 5.1 to five.12 are susceptible to CVE-2024-31214 and CVE-2024-2809. The problems had been addressed with the discharge of Traccar 6 in April 2024 which turns off self-registration by way of default, thereby lowering the assault floor.
“If the registration environment is right, readOnly is fake, and deviceReadonly is fake, then an unauthenticated attacker can exploit those vulnerabilities,” Sunkavally stated. “Those are the default settings for Traccar 5.”