In a concerning development for users of the Traccar GPS tracking system, two critical security vulnerabilities have been uncovered that could leave the platform open to severe exploitation. The vulnerabilities, identified as CVE-2024-24809 and CVE-2024-31214, pose a significant risk of remote code execution, particularly in instances where the system’s default settings remain unchanged.
Understanding the Vulnerabilities
The Traccar GPS system, widely utilized for real-time tracking of vehicles and assets, has been found to contain two path traversal flaws. These vulnerabilities could be exploited by unauthenticated attackers to gain unauthorized access to the system, potentially allowing them to execute malicious code remotely. Both flaws were disclosed by Naveen Sunkavally, a researcher at Horizon3.ai, who highlighted the seriousness of these issues, especially given that guest registration is enabled by default in Traccar version 5.
The two vulnerabilities are characterized as follows:
CVE-2024-24809 (CVSS score: 8.5): This path traversal vulnerability involves the potential for an attacker to navigate through directories (‘dir/../../filename’) and upload files with dangerous types without restriction. This flaw is particularly alarming due to its high potential for exploitation.
CVE-2024-31214 (CVSS score: 9.7): This vulnerability involves an unrestricted file upload issue within the device image upload feature of Traccar. It could lead to remote code execution by allowing an attacker to place files with arbitrary content anywhere on the system’s file structure.
The Implications of Exploitation
The exploitation of these vulnerabilities could have dire consequences. According to Sunkavally, the net result of these flaws is that an attacker could effectively place files with arbitrary content anywhere within the Traccar system’s file system. While the attacker only has partial control over the filename, this still presents a substantial risk.
The vulnerabilities stem from the way Traccar handles device image file uploads. Specifically, the system allows an attacker to overwrite certain files on the file system, potentially leading to the execution of malicious code. For instance, files matching the following naming formats could be exploited:
device.ext, where the attacker can control the extension but must include one.blah", where the attacker controls the prefix, but the filename must end with a double quote.blah1";blah2=blah3, where the attacker controls all parts before and after the equals symbol, with the double quote, semicolon, and equals symbol required.
Proof-of-Concept and Attack Scenarios
Horizon3.ai’s proof-of-concept (PoC) demonstrated how an adversary could exploit the path traversal flaw using the Content-Type header to upload a crontab file, enabling the attacker to gain a reverse shell on the Traccar host. However, this attack vector is not universally applicable. For example, Debian and Ubuntu-based Linux systems are immune to this specific method due to file-naming restrictions that prevent crontab files from containing periods or double quotes.
Nevertheless, alternative attack methods are equally concerning. In scenarios where Traccar is installed as a root-level user, an attacker could drop a kernel module or configure an udev rule, which would execute an arbitrary command whenever a hardware event occurs.
On Windows-based systems, the risks are equally significant. An attacker could achieve remote code execution by placing a shortcut (LNK) file named device.lnk in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder. This file would then execute the next time any user logs into the Traccar host, giving the attacker control over the system.
Mitigation and Recommendations
Traccar versions 5.1 to 5.12 are susceptible to both CVE-2024-24809 and CVE-2024-31214. Fortunately, these issues have been addressed with the release of Traccar 6 in April 2024. The new version has made critical changes to the system’s default settings, including turning off self-registration, which significantly reduces the attack surface.
Despite these fixes, Sunkavally warns that the risk remains high if the default settings are not adjusted. “If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities,” he explained. These are the default settings for Traccar 5, meaning that users who have not upgraded or modified their configurations remain at risk.
Conclusion
The discovery of these vulnerabilities in the Traccar GPS system underscores the importance of regular software updates and vigilant security practices. Users of Traccar are strongly urged to upgrade to the latest version and review their system configurations to ensure they are not inadvertently exposed to these critical flaws. With remote code execution being a plausible threat, the implications of inaction could be severe, making immediate attention to this issue paramount for all Traccar users.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Telegram CEO Pavel Durov Arrested in France Amid Content Moderation Controversy