Traccar Open-Source GPS Tracking System OAuth 2.0 Authorization Code Theft Vulnerability

A vulnerability exists in Traccar open-source GPS tracking system versions through 6.11.1, allowing authenticated users to steal OAuth 2.0 authorization codes. This is achieved by exploiting an open redirect vulnerability in two OpenID Connect (OIDC) related endpoints. The 'redirect_uri' parameter is not validated against a whitelist, enabling attackers to redirect authorization codes to their own URLs, potentially leading to account takeover on any application integrated with OAuth.

Impact

Exploitation of this vulnerability allows for the theft of OAuth authorization codes, which can be used to take over accounts on integrated applications. Additionally, it creates a phishing vector, redirecting users to malicious sites after authentication, and allows for the theft of access tokens by exchanging the stolen authorization codes, granting persistent access to user accounts.

Reproduction

To reproduce this vulnerability, an authenticated user must first log in to obtain a session cookie. Once logged in, the user can request an authorization code by sending a request to the '/api/oidc/authorize' endpoint with an attacker-controlled 'redirect_uri'. The authorization code will then be sent to the specified URL, controlled by the attacker. Alternatively, if the OIDC client functionality is enabled, the vulnerability can be exploited by overriding the 'redirect_uri' parameter in the '/api/session/openid/callback' endpoint, redirecting the authorization response to an attacker-controlled URL.

Remediation

Users are advised to update to the latest version of Traccar, as no specific patched version is mentioned. For developers, it is recommended to implement 'redirect_uri' validation against a pre-registered whitelist per client in the 'OidcResource.java' file, and to remove the 'redirect_uri' override functionality in the 'OpenIdProvider.java' file.