August 26, 2024 at 04:00AM
Two security vulnerabilities in the Traccar GPS tracking system, CVE-2024-24809 and CVE-2024-31214, allow unauthenticated attackers to achieve remote code execution if guest registration is enabled. The issues have been addressed in Traccar 6, released in April 2024, which turns off self-registration by default. Attack methods and system-specific exploitation details are discussed.
From the meeting notes, I have gathered the following key takeaways:
1. Two security vulnerabilities have been identified in the open-source Traccar GPS tracking system, potentially allowing unauthenticated attackers to achieve remote code execution under certain conditions.
2. The vulnerabilities are path traversal flaws, and they can be exploited if guest registration is enabled, which is the default configuration for Traccar 5.
3. The vulnerabilities are identified as CVE-2024-24809 and CVE-2024-31214, with respective CVSS scores of 8.5 and 9.7.
4. These vulnerabilities allow an attacker to upload files with arbitrary content anywhere on the file system and trigger code execution, taking advantage of how the program handles device image file uploads.
5. A proof-of-concept devised by Horizon3.ai demonstrates how an adversary can upload a crontab file using path traversal in the Content-Type header to obtain a reverse shell on the attacker’s host.
6. Vulnerable versions of Traccar are 5.1 to 5.12, and the issues have been addressed in the release of Traccar 6, which turns off self-registration by default.
7. The default settings for Traccar 5 can be exploited by an unauthenticated attacker if the registration setting is true, readOnly is false, and deviceReadonly is false.
Let me know if you need any further details or additional information.