Security flaw in top GPS system could have left users open to attack

News
By
published

Traccar 5 flaw allowed crooks to upload malicious files and take over the system

A graphic showing fleet tracking locations over a city.
(Image credit: Shutterstock / Ekaphon maneechot)
Jump to:

Open source tracking system Traccar GPS was found to have security vulnerabilities which could have allowed threat actors to run malicious code, remotely, and even take over flawed devices.

A report from cybersecurity researchers at Horizon3.ai outlined the flaw, and also shared a proof-of-concept (PoC) to demonstrate how the vulnerability could be exploited in the wild.

As per the researchers, Traccar GPS carried two path traversal vulnerabilities: CVE-2024-24809, and CVE-2024-31214. The former has a severity score of 8.5, while the latter 9.7. Both allow malicious actors to upload files with dangerous file types and thus put the entire endpoint in jeopardy.

Updates and patches

"The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system," the researchers said. "However an attacker only has partial control over the filename."

In layman’s terms, there is a bug in the way the program manages uploaded files, granting anyone the ability to overwrite specific system files. There are two prerequisites: to have guest registration turned on (which it is, by default), and to match the naming format. More details can be found on this link.

Sharing the PoC, Horiozon3.ai researchers said a malicious actor could upload a crontab file, effectively obtaining a reverse shell on the attacker host. This method only works on Windows devices though, since Debian/Ubuntu-based Linux operating systems have certain naming restrictions that render this method useless.

All Traccar versions between 5.1 and 5.12 were said to be vulnerable, and those fearing an attack should update the program to version 6, which was released in April this year. This version turns off self-registration by default, effectively closing down the attack avenue.

"If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities," the researchers said. "These are the default settings for Traccar 5."

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.