PT-2026-55664 · Pypi · Motioneye
Publicado
2026-06-23
·
Atualizado
2026-06-23
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
A multi‑stage chain in motionEye leads to remote code execution. The chain combines:
- Arbitrary file read (LFI) via the picture download endpoint for local motion cameras using absolute paths.
- Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes.
- Unsafe config restore that extracts attacker‑controlled tarballs into
CONF PATH. - Unauthenticated action execution via
/action/<id>/<action>.
If the normal user password is unset, the chain becomes unauthenticated RCE. If a normal password exists, a normal user can still achieve admin escalation and RCE.
Affected Code (motionEye repo)
1) LFI (absolute path) — picture/<id>/download
Files:
motioneye/motioneye/handlers/picture.py→download()(local motion camera branch)motioneye/motioneye/mediafiles.py→get media content()
Issue:
get media content() only blocks .. and then joins target dir with path. Absolute paths (e.g. /etc/hosts) bypass the join and are read directly.2) Pass‑the‑hash admin auth
File:
motioneye/motioneye/handlers/base.py → get current user()Issue: The signature check allows signatures computed using the admin password hash (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.
3) Unsafe restore (tar extraction)
File:
motioneye/motioneye/config.py → restore()Issue:
tar zxC CONF PATH is used on user‑supplied data without sanitizing entries. A crafted tar can drop executable files into CONF PATH.4) Unauthenticated action execution
File:
motioneye/motioneye/handlers/action.py → post()Issue: No authentication decorator is present. It executes
<action> <camera id> found in CONF PATH with subprocess.Popen.Exploit Chain (Detailed)
- Create or find a local motion camera id (local motion cameras are required for the vulnerable LFI path).
- LFI via picture download:
- Request:
/picture/<id>/download/<absolute path> - Example:
/picture/1/download/%2Fetc%2Fhosts - Result: Arbitrary file read.
- Read admin hash from
/etc/motioneye/motion.conf:
- Contains
@admin password <SHA1 HASH>.
- Pass‑the‑hash admin:
- Compute signature for
/config/restore? username=adminusing the hash as key. - Admin access is accepted with hash‑based signatures.
- Restore malicious tar:
- Upload a tar containing
lock <id>(or any action) as an executable. - File is written into
CONF PATHby restore.
- Trigger unauth action:
- POST
/action/<id>/lock - The server executes the injected file.
Proof of Execution (Observed Output)
In local testing, the injected action created a marker file:
/tmp/meye rce okVerification command:
docker exec -it motioneye ls -la /tmp | grep meye rce okExample output:
-rw-r--r-- 1 root root 0 ... /tmp/meye rce okPreconditions / Requirements
- At least one local motion camera exists (e.g.,
netcam url,videodevice). picture/<id>/downloadis reachable:- Unauth if
@normal passwordis empty (default in some installs). - Auth required if normal password is set (attacker needs normal creds).
Impact
- Unauth RCE (normal password unset).
- Authenticated RCE (normal user → admin → RCE).
- Arbitrary file read on server filesystem.
- Full compromise of motionEye process account.
Suggested Fixes
- Block absolute paths in
get media content()andget media path(). - Remove hash‑based signature acceptance; only accept signatures computed with plaintext passwords.
- Harden restore: reject absolute paths,
.., symlinks, non‑regular files. - Require authentication on
ActionHandler(admin‑only).
Correção
Path traversal
Unrestricted File Upload
Missing Authentication
Improper Verification of Cryptographic Signature
Improper Privilege Management
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Motioneye