Friend
Professional
- Messages
- 2,675
- Reaction score
- 987
- Points
- 113
A simple bug became the starting point for a large-scale cyberattack.
Two critical vulnerabilities have been discovered in the popular Traccar GPS tracking system, used for both personal and corporate use, that could lead to remote code execution. The vulnerabilities, designated CVE-2024-31214 and CVE-2024-24809, allow unauthorized attackers to carry out attacks if the guest registration feature is enabled, which is enabled by default in Traccar 5.
Traccar, a Java-based application, uses a Jetty server to process requests. Traccar 5.1 added an image upload feature for devices, which caused the vulnerability. Both issues are related to the handling of device image downloads, where attackers can manipulate the file name and extension using a directory traversal technique. This allows files to be placed in arbitrary locations on the file system, which can eventually lead to the execution of malicious code on the server.
One possible attack scenario is to upload a crontab file to Linux-based servers, which would allow the attacker to obtain a reverse shell. Other methods include loading a malicious kernel module or creating malicious udev rules, which also result in remote code execution on reboot or user login.
On Windows systems, the vulnerability can be used to place a malicious shortcut in the startup folder, which leads to the execution of a command every time the system logs in.
The problem was discovered by researchers from Horizon3, who immediately reported the vulnerabilities to the developers. In Traccar 6, these vulnerabilities have been fixed and the guest check-in feature has been disabled by default, significantly improving the security of the system.
To protect their systems, users are advised to upgrade to Traccar 6 as soon as possible or disable the guest check-in feature. Also, if the server has already been compromised, you need to be careful when rebooting the system, as this can activate embedded malware.
At the time of the discovery of the vulnerabilities, about 1400 Traccar version 5 servers were open on the network with vulnerable default settings. Users are advised to check their systems and take the necessary measures to prevent possible attacks.
Source
Two critical vulnerabilities have been discovered in the popular Traccar GPS tracking system, used for both personal and corporate use, that could lead to remote code execution. The vulnerabilities, designated CVE-2024-31214 and CVE-2024-24809, allow unauthorized attackers to carry out attacks if the guest registration feature is enabled, which is enabled by default in Traccar 5.
Traccar, a Java-based application, uses a Jetty server to process requests. Traccar 5.1 added an image upload feature for devices, which caused the vulnerability. Both issues are related to the handling of device image downloads, where attackers can manipulate the file name and extension using a directory traversal technique. This allows files to be placed in arbitrary locations on the file system, which can eventually lead to the execution of malicious code on the server.
One possible attack scenario is to upload a crontab file to Linux-based servers, which would allow the attacker to obtain a reverse shell. Other methods include loading a malicious kernel module or creating malicious udev rules, which also result in remote code execution on reboot or user login.
On Windows systems, the vulnerability can be used to place a malicious shortcut in the startup folder, which leads to the execution of a command every time the system logs in.
The problem was discovered by researchers from Horizon3, who immediately reported the vulnerabilities to the developers. In Traccar 6, these vulnerabilities have been fixed and the guest check-in feature has been disabled by default, significantly improving the security of the system.
To protect their systems, users are advised to upgrade to Traccar 6 as soon as possible or disable the guest check-in feature. Also, if the server has already been compromised, you need to be careful when rebooting the system, as this can activate embedded malware.
At the time of the discovery of the vulnerabilities, about 1400 Traccar version 5 servers were open on the network with vulnerable default settings. Users are advised to check their systems and take the necessary measures to prevent possible attacks.
Source
