Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Security flaw in top GPS system could have left users open to attack

A graphic showing fleet tracking locations over a city.

Open source tracking system Traccar GPS was found to have security vulnerabilities which could have allowed threat actors to run malicious code, remotely, and even take over flawed devices.

A report from cybersecurity researchers at Horizon3.ai outlined the flaw, and also shared a proof-of-concept (PoC) to demonstrate how the vulnerability could be exploited in the wild.

As per the researchers, Traccar GPS carried two path traversal vulnerabilities: CVE-2024-24809, and CVE-2024-31214. The former has a severity score of 8.5, while the latter 9.7. Both allow malicious actors to upload files with dangerous file types and thus put the entire endpoint in jeopardy.

Updates and patches

"The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system," the researchers said. "However an attacker only has partial control over the filename."

In layman’s terms, there is a bug in the way the program manages uploaded files, granting anyone the ability to overwrite specific system files. There are two prerequisites: to have guest registration turned on (which it is, by default), and to match the naming format. More details can be found on this link.

Sharing the PoC, Horiozon3.ai researchers said a malicious actor could upload a crontab file, effectively obtaining a reverse shell on the attacker host. This method only works on Windows devices though, since Debian/Ubuntu-based Linux operating systems have certain naming restrictions that render this method useless.

All Traccar versions between 5.1 and 5.12 were said to be vulnerable, and those fearing an attack should update the program to version 6, which was released in April this year. This version turns off self-registration by default, effectively closing down the attack avenue.

"If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities," the researchers said. "These are the default settings for Traccar 5."

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.