CVE-2024-24809 Scanner

Traccar is widely used as an open-source GPS tracking system employed by businesses and individuals to manage and monitor GPS-enabled devices. It's utilized in a variety of environments including fleet management, personal tracking, and asset monitoring. Users leverage Traccar for its powerful web interface that displays data in real-time or historical reports. With integrations and support for numerous devices, Traccar provides an inherently flexible platform. Its capability to handle large volumes of data makes it suitable for enterprise usage. Traccar continuously evolves with community contributions, enhancing its capabilities and security measures.

The detected vulnerability involves unrestricted file upload, where attackers can upload files with dangerous types to the server. This vulnerability allows users with ordinary permissions to exploit system paths due to improper handling of file uploads. The exploitation vector takes advantage of the default registration settings in Traccar's deployment, which permits the registration of ordinary user accounts. By bypassing restrictions, attackers might inject potentially harmful code or scripts, which can be executed to compromise the server. The patch released in version 6.0 aims to address these vulnerabilities by restricting file uploads.

The technical details reveal that the vulnerability is located within the API endpoints responsible for managing device images. Attackers manipulate the upload paths to save malicious files in unintended directories on the server. The 'device.' prefix in filenames is especially exploited to gain unauthorized access to the system's directories. The vulnerability further extends by allowing overwriting of critical server files, potentially triggering XSS or server-side script execution. Frequent targets include files that can command execution paths or control flow sections within the server's application.

Exploiting this vulnerability could lead to significant risks such as executing arbitrary commands, initiating phishing attacks, or hijacking server functionalities. A successful exploit compromises server integrity and data confidentiality, potentially allowing further attacks like system manipulation. Organizations may face severe consequences, including data breaches, loss of service, and damage to reputation. Moreover, this vulnerability could be a vector for future attacks, leveraging retained access to penetrate deeper into the network infrastructure.

REFERENCES

• https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901
• https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5
• https://nvd.nist.gov/vuln/detail/CVE-2024-24809