PT-2026-55664 · Pypi · Motioneye

Publicado

2026-06-23

·

Atualizado

2026-06-23

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A multi‑stage chain in motionEye leads to remote code execution. The chain combines:
  1. Arbitrary file read (LFI) via the picture download endpoint for local motion cameras using absolute paths.
  2. Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes.
  3. Unsafe config restore that extracts attacker‑controlled tarballs into CONF PATH.
  4. Unauthenticated action execution via /action/<id>/<action>.
If the normal user password is unset, the chain becomes unauthenticated RCE. If a normal password exists, a normal user can still achieve admin escalation and RCE.

Affected Code (motionEye repo)

1) LFI (absolute path) — picture/<id>/download

Files:
  • motioneye/motioneye/handlers/picture.pydownload() (local motion camera branch)
  • motioneye/motioneye/mediafiles.pyget media content()
Issue: get media content() only blocks .. and then joins target dir with path. Absolute paths (e.g. /etc/hosts) bypass the join and are read directly.

2) Pass‑the‑hash admin auth

File: motioneye/motioneye/handlers/base.pyget current user()
Issue: The signature check allows signatures computed using the admin password hash (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.

3) Unsafe restore (tar extraction)

File: motioneye/motioneye/config.pyrestore()
Issue: tar zxC CONF PATH is used on user‑supplied data without sanitizing entries. A crafted tar can drop executable files into CONF PATH.

4) Unauthenticated action execution

File: motioneye/motioneye/handlers/action.pypost()
Issue: No authentication decorator is present. It executes <action> <camera id> found in CONF PATH with subprocess.Popen.

Exploit Chain (Detailed)

  1. Create or find a local motion camera id (local motion cameras are required for the vulnerable LFI path).
  2. LFI via picture download:
  • Request: /picture/<id>/download/<absolute path>
  • Example: /picture/1/download/%2Fetc%2Fhosts
  • Result: Arbitrary file read.
  1. Read admin hash from /etc/motioneye/motion.conf:
  • Contains @admin password <SHA1 HASH>.
  1. Pass‑the‑hash admin:
  • Compute signature for /config/restore? username=admin using the hash as key.
  • Admin access is accepted with hash‑based signatures.
  1. Restore malicious tar:
  • Upload a tar containing lock <id> (or any action) as an executable.
  • File is written into CONF PATH by restore.
  1. Trigger unauth action:
  • POST /action/<id>/lock
  • The server executes the injected file.

Proof of Execution (Observed Output)

In local testing, the injected action created a marker file:
/tmp/meye rce ok
Verification command:
docker exec -it motioneye ls -la /tmp | grep meye rce ok
Example output:
-rw-r--r-- 1 root root 0 ... /tmp/meye rce ok

Preconditions / Requirements

  • At least one local motion camera exists (e.g., netcam url, videodevice).
  • picture/<id>/download is reachable:
  • Unauth if @normal password is empty (default in some installs).
  • Auth required if normal password is set (attacker needs normal creds).

Impact

  • Unauth RCE (normal password unset).
  • Authenticated RCE (normal user → admin → RCE).
  • Arbitrary file read on server filesystem.
  • Full compromise of motionEye process account.

Suggested Fixes

  1. Block absolute paths in get media content() and get media path().
  2. Remove hash‑based signature acceptance; only accept signatures computed with plaintext passwords.
  3. Harden restore: reject absolute paths, .., symlinks, non‑regular files.
  4. Require authentication on ActionHandler (admin‑only).

Correção

Path traversal

Unrestricted File Upload

Missing Authentication

Improper Verification of Cryptographic Signature

Improper Privilege Management

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-QXVG-H7Q2-HCXH

Produtos afetados

Motioneye