In the popular TRACCAR GPS tracing system used for both personal and corporate use, two critical vulnerabilities have been found, which can lead to remote code execution. Vulnerabilities designated as cve-2024-31214 and CVE-2024-24809, allow unauthorized attackers to carry out attacks if the guests are registered, which is activated by default in the version of Traccar 5.
Traccar, a Java-based application, uses Jetty server to process queries. In the TRACCAR 5.1 version, the image loading function for devices was added, which caused vulnerabilities. Both problems are associated with processing the loading of images of devices where attackers can manipulate the file and extension using the Path Traversal technique. This allows them to place files in arbitrary places on the file system, which can ultimately lead to the performance of malicious code on the server.
One possible attack scenario is to download a CronTab file to servers operating on the Linux base, allowing the attacker to get the reverse shell. Other methods include loading the malicious kernel module or creating malicious UDEV rules, leading to remote code execution during rebooting or the user’s entrance to the system.
On Windows systems, the vulnerability can be exploited to place a malicious label in the auto loading folder, leading to the execution of the command at each entrance to the system.
The problem was discovered by researchers from Horizon3, who immediately reported the vulnerabilities to Traccar developers. In the TRACCAR 6 version, these vulnerabilities were corrected, and the guest registration function was disconnected by default, significantly improving the system’s security.
To protect their systems, users are recommended to update to Traccar 6 as soon as possible or disconnect the guest registration function. Additionally, if the server has already been compromised, caution is advised when rebooting the system, as this can activate any inherent harmful programs.
At the time of the discovery of the vulnerabilities, approximately 1,400 Traccar servers running version 5 were open on the network with vulnerable default settings. Users are advised to check their systems and take necessary measures to prevent potential attacks.