Significant Weaknesses in Traccar GPS System Make Users Vulnerable to Remote Attacks

Aug 26, 2024Ravie LakshmananSoftware Security / Vulnerability

Two security vulnerabilities have surfaced in the open-source Traccar GPS tracking system that might be exploited by unauthorized attackers to achieve remote code execution in specific situations.

These vulnerabilities involve path traversal flaws and could become dangerous if guest registration gets enabled, which is the default setting for Traccar 5, as noted by Naveen Sunkavally, a researcher at Horizon3.ai.

A concise overview of these weaknesses is:

• CVE-2024-24809 (CVSS score: 8.5) – Path Traversal: ‘dir/../../filename’ and uploading files with dangerous types without restrictions
• CVE-2024-31214 (CVSS score: 9.7) – Vulnerability in uploading device images without restrictions that could lead to remote code execution

“What happens due to CVE-2024-31214 and CVE-2024-24809 is that an attacker gains the ability to place files with any content on the file system,” mentioned Sunkavally in this chilling analysis. “Nevertheless, the attacker has only partial control over the filename.”

The vulnerabilities stem from how the software manages file uploads for device images, enabling an attacker to overwrite specific files and trigger code execution. The affected file naming formats include –

• device.ext, where the attacker can control ext, but an extension must be present
• blah”, where the attacker can control blah but the filename must end with a double quote
• blah1″;blah2=blah3, where the attacker can control blah1, blah2, and blah3, but the presence of a double quote, semicolon sequence, and equals symbol is necessary

Through a potential proof-of-concept devised by Horizon3.ai, an attacker can manipulate the path traversal in the Content-Type header to upload a crontab file, gaining a reverse shell on the attacker’s system.

Nevertheless, this method does not work on Debian/Ubuntu-based Linux systems due to naming restrictions that disallow crontab files from having periods or double quotes.

Another exploitative technique involves leveraging the fact that Traccar is installed as a root-level user to insert a kernel module or set up a udev rule for executing arbitrary commands whenever a hardware event occurs.

In the case of vulnerable Windows systems, remote code execution can be facilitated by deploying a shortcut (LNK) file named “device.lnk” in the C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp directory, which will run upon any user logging into the Traccar host.

Traccar versions 5.1 to 5.12 are exposed to CVE-2024-31214 and CVE-2024-2809. The issues have been resolved with the introduction of Traccar 6 in April 2024, which now disables self-registration by default, thus decreasing the risk of exploitation.

“If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities,” remarked Sunkavally. “These are the default settings for Traccar 5.”