August 31 - September 6, 2024

Traccar Exploit Chain

CVE-2024-24809 (two different path traversals) and CVE-2024-31214 (unrestricted file upload) is a bug chain affecting Traccar (fleet tracking/GPS software). We think this is a high value exploit chain because it could create a pivot into a mid-size+ business, and there are more than 10,000 Traccar servers visible on Censys.

Public exploits for this chain are restricted to Linux OS that allow the " character in filenames with /etc/cron.d (so Red Hat-based systems). Debian-based will ignore files in /etc/cron.d that have . or " characters. That greatly diminishes the value of the exploit chain. However, the team developed an additional exploit that works on all Linux variants by using /etc/udev/rules.d/. All told, for this bug chain, the team developed a version scanner, two unique exploits, four network signatures, a vulnerable docker image, and Censys/GreyNoise/Shodan queries.

Clarification on D-Link "Won't Fix" CVE: CVE-2024-44340 - CVE-2024-44342 and CVE-2024-41622

There was a lot of hype this last week from infosecurity about four vulnerabilities that D-Link said they won't fix:

• https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing-four-rce-flaws-in-dir-846w-routers/
• https://www.securityweek.com/d-link-warns-of-code-execution-flaws-in-discontinued-router-model/
• https://www.runzero.com/blog/d-link-dir-864w/
• https://cyware.com/news/d-link-says-it-is-not-fixing-four-rce-flaws-in-dir-846w-routers-cca3ea41

NVD, unfortunately, has listed three of these as "Unauthenticated RCE", so the team was asked to investigate. The team not only found that all of these are authenticated vulnerabilities, but they are duplicates of older CVE. Additionally, those old CVE have known (authenticated) proof of concept exploits. The breakdown goes like this:

• CVE-2024-44340 is a duplicate of CVE-2023-6580. An authenticated proof of concept can be found here.
• CVE-2024-44341 is a duplicate of CVE-2022-46552. An authenticated proof of concept can be found on Exploit-DB.
• CVE-2024-44342 is a duplicate of CVE-2021-46315 (which is a duplicate of CVE-2019-17509). An authenticated proof of concept can be found here.
• CVE-2024-41622 is a duplicate of CVE-2023-33735 and CVE-2021-46314. An authenticated proof of concept can be found here and here.

Given the nature of these vulnerabilities, we do not plan to create any detection artifacts or exploits. We thought this information would be useful though.

CVE-2024-5932: GiveWP Remote Code Execution

The team added an exploit, pcap, and signatures for a remote code execution (PHP object injection) in the GiveWP plugin for WordPress. At the time of disclosure, Wordfence noted "over 100,000 active installations." GiveWP allows for the creation of donation forms in WordPress; donation forms are commonly found on public websites. The exploit spawns a reverse shell that connects back to the attacker. Given the amount of attention this vulnerability has received, we anticipate that it will eventually be added to VulnCheck KEV.

IP Intel Update

Now tracking a cluster of IPs associated with a SLOW#TEMPEST phishing campaign. They are utilizing a software called DayBreak that we are now also tracking, which is a Chinese "breach attack simulation" tool that has a C2 component.