GHSA-QXVG-H7Q2-HCXH
Vulnerability from github – Published: 2026-06-23 18:53 – Updated: 2026-06-23 18:53
VLAI
Summary
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Details
Summary
A multi‑stage chain in motionEye leads to remote code execution. The chain combines:
- Arbitrary file read (LFI) via the picture download endpoint for local motion cameras using absolute paths.
- Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes.
- Unsafe config restore that extracts attacker‑controlled tarballs into
CONF_PATH. - Unauthenticated action execution via
/action/<id>/<action>.
If the normal user password is unset, the chain becomes unauthenticated RCE. If a normal password exists, a normal user can still achieve admin escalation and RCE.
Affected Code (motionEye repo)
1) LFI (absolute path) — picture/<id>/download
Files:
- motioneye/motioneye/handlers/picture.py → download() (local motion camera branch)
- motioneye/motioneye/mediafiles.py → get_media_content()
Issue: get_media_content() only blocks .. and then joins target_dir with path. Absolute paths (e.g. /etc/hosts) bypass the join and are read directly.
2) Pass‑the‑hash admin auth
File: motioneye/motioneye/handlers/base.py → get_current_user()
Issue: The signature check allows signatures computed using the admin password hash (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.
3) Unsafe restore (tar extraction)
File: motioneye/motioneye/config.py → restore()
Issue: tar zxC CONF_PATH is used on user‑supplied data without sanitizing entries. A crafted tar can drop executable files into CONF_PATH.
4) Unauthenticated action execution
File: motioneye/motioneye/handlers/action.py → post()
Issue: No authentication decorator is present. It executes <action>_<camera_id> found in CONF_PATH with subprocess.Popen.
Exploit Chain (Detailed)
- Create or find a local motion camera id (local motion cameras are required for the vulnerable LFI path).
- LFI via picture download:
- Request:
/picture/<id>/download/<absolute_path> - Example:
/picture/1/download/%2Fetc%2Fhosts - Result: Arbitrary file read.
- Read admin hash from
/etc/motioneye/motion.conf: - Contains
@admin_password <SHA1_HASH>. - Pass‑the‑hash admin:
- Compute signature for
/config/restore?_username=adminusing the hash as key. - Admin access is accepted with hash‑based signatures.
- Restore malicious tar:
- Upload a tar containing
lock_<id>(or any action) as an executable. - File is written into
CONF_PATHby restore. - Trigger unauth action:
- POST
/action/<id>/lock - The server executes the injected file.
Proof of Execution (Observed Output)
In local testing, the injected action created a marker file:
/tmp/meye_rce_ok
Verification command:
docker exec -it motioneye ls -la /tmp | grep meye_rce_ok
Example output:
-rw-r--r-- 1 root root 0 ... /tmp/meye_rce_ok
Preconditions / Requirements
- At least one local motion camera exists (e.g.,
netcam_url,videodevice). picture/<id>/downloadis reachable:- Unauth if
@normal_passwordis empty (default in some installs). - Auth required if normal password is set (attacker needs normal creds).
Impact
- Unauth RCE (normal password unset).
- Authenticated RCE (normal user → admin → RCE).
- Arbitrary file read on server filesystem.
- Full compromise of motionEye process account.
Suggested Fixes
- Block absolute paths in
get_media_content()andget_media_path(). - Remove hash‑based signature acceptance; only accept signatures computed with plaintext passwords.
- Harden restore: reject absolute paths,
.., symlinks, non‑regular files. - Require authentication on
ActionHandler(admin‑only).
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "motioneye"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.44.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-269",
"CWE-306",
"CWE-347",
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T18:53:04Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\nA multi\u2011stage chain in motionEye leads to remote code execution. The chain combines:\n\n1. **Arbitrary file read (LFI)** via the picture download endpoint for **local motion cameras** using absolute paths.\n2. **Pass\u2011the\u2011hash admin auth** due to accepting request signatures computed with password hashes.\n3. **Unsafe config restore** that extracts attacker\u2011controlled tarballs into `CONF_PATH`.\n4. **Unauthenticated action execution** via `/action/\u003cid\u003e/\u003caction\u003e`.\n\nIf the **normal user password is unset**, the chain becomes **unauthenticated RCE**. If a normal password exists, a **normal user** can still achieve **admin escalation and RCE**.\n\n---\n\n## Affected Code (motionEye repo)\n\n### 1) LFI (absolute path) \u2014 `picture/\u003cid\u003e/download`\n**Files:**\n- `motioneye/motioneye/handlers/picture.py` \u2192 `download()` (local motion camera branch)\n- `motioneye/motioneye/mediafiles.py` \u2192 `get_media_content()`\n\n**Issue:** `get_media_content()` only blocks `..` and then joins `target_dir` with `path`. Absolute paths (e.g. `/etc/hosts`) bypass the join and are read directly.\n\n### 2) Pass\u2011the\u2011hash admin auth\n**File:** `motioneye/motioneye/handlers/base.py` \u2192 `get_current_user()`\n\n**Issue:** The signature check allows signatures computed using the **admin password hash** (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.\n\n### 3) Unsafe restore (tar extraction)\n**File:** `motioneye/motioneye/config.py` \u2192 `restore()`\n\n**Issue:** `tar zxC CONF_PATH` is used on user\u2011supplied data without sanitizing entries. A crafted tar can drop executable files into `CONF_PATH`.\n\n### 4) Unauthenticated action execution\n**File:** `motioneye/motioneye/handlers/action.py` \u2192 `post()`\n\n**Issue:** No authentication decorator is present. It executes `\u003caction\u003e_\u003ccamera_id\u003e` found in `CONF_PATH` with `subprocess.Popen`.\n\n---\n\n## Exploit Chain (Detailed)\n\n1. **Create or find a local motion camera id** (local motion cameras are required for the vulnerable LFI path).\n2. **LFI via picture download**:\n - Request: `/picture/\u003cid\u003e/download/\u003cabsolute_path\u003e`\n - Example: `/picture/1/download/%2Fetc%2Fhosts`\n - Result: Arbitrary file read.\n3. **Read admin hash** from `/etc/motioneye/motion.conf`:\n - Contains `@admin_password \u003cSHA1_HASH\u003e`.\n4. **Pass\u2011the\u2011hash admin**:\n - Compute signature for `/config/restore?_username=admin` using the **hash** as key.\n - Admin access is accepted with hash\u2011based signatures.\n5. **Restore malicious tar**:\n - Upload a tar containing `lock_\u003cid\u003e` (or any action) as an executable.\n - File is written into `CONF_PATH` by restore.\n6. **Trigger unauth action**:\n - POST `/action/\u003cid\u003e/lock`\n - The server executes the injected file.\n\n---\n\n## Proof of Execution (Observed Output)\nIn local testing, the injected action created a marker file:\n\n```\n/tmp/meye_rce_ok\n```\n\nVerification command:\n```\ndocker exec -it motioneye ls -la /tmp | grep meye_rce_ok\n```\nExample output:\n```\n-rw-r--r-- 1 root root 0 ... /tmp/meye_rce_ok\n```\n\n---\n\n## Preconditions / Requirements\n\n- At least **one local motion camera** exists (e.g., `netcam_url`, `videodevice`).\n- `picture/\u003cid\u003e/download` is reachable:\n - **Unauth** if `@normal_password` is empty (default in some installs).\n - **Auth required** if normal password is set (attacker needs normal creds).\n\n---\n\n## Impact\n- **Unauth RCE** (normal password unset).\n- **Authenticated RCE** (normal user \u2192 admin \u2192 RCE).\n- Arbitrary file read on server filesystem.\n- Full compromise of motionEye process account.\n\n---\n\n## Suggested Fixes\n1. **Block absolute paths** in `get_media_content()` and `get_media_path()`.\n2. **Remove hash\u2011based signature acceptance**; only accept signatures computed with plaintext passwords.\n3. **Harden restore**: reject absolute paths, `..`, symlinks, non\u2011regular files.\n4. **Require authentication** on `ActionHandler` (admin\u2011only).",
"id": "GHSA-qxvg-h7q2-hcxh",
"modified": "2026-06-23T18:53:04Z",
"published": "2026-06-23T18:53:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-qxvg-h7q2-hcxh"
},
{
"type": "PACKAGE",
"url": "https://github.com/motioneye-project/motioneye"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "motionEye: LFI \u2192 pass\u2011the\u2011hash admin \u2192 unsafe restore \u2192 unauth action exec (RCE)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…