Skip to content

Commit a3cb2cd

Browse files
1 parent ac14095 commit a3cb2cd

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qxvg-h7q2-hcxh",
4+
"modified": "2026-06-23T18:53:04Z",
5+
"published": "2026-06-23T18:53:04Z",
6+
"aliases": [],
7+
"summary": "motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)",
8+
"details": "## Summary\nA multi‑stage chain in motionEye leads to remote code execution. The chain combines:\n\n1. **Arbitrary file read (LFI)** via the picture download endpoint for **local motion cameras** using absolute paths.\n2. **Pass‑the‑hash admin auth** due to accepting request signatures computed with password hashes.\n3. **Unsafe config restore** that extracts attacker‑controlled tarballs into `CONF_PATH`.\n4. **Unauthenticated action execution** via `/action/<id>/<action>`.\n\nIf the **normal user password is unset**, the chain becomes **unauthenticated RCE**. If a normal password exists, a **normal user** can still achieve **admin escalation and RCE**.\n\n---\n\n## Affected Code (motionEye repo)\n\n### 1) LFI (absolute path) — `picture/<id>/download`\n**Files:**\n- `motioneye/motioneye/handlers/picture.py` → `download()` (local motion camera branch)\n- `motioneye/motioneye/mediafiles.py` → `get_media_content()`\n\n**Issue:** `get_media_content()` only blocks `..` and then joins `target_dir` with `path`. Absolute paths (e.g. `/etc/hosts`) bypass the join and are read directly.\n\n### 2) Pass‑the‑hash admin auth\n**File:** `motioneye/motioneye/handlers/base.py` → `get_current_user()`\n\n**Issue:** The signature check allows signatures computed using the **admin password hash** (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.\n\n### 3) Unsafe restore (tar extraction)\n**File:** `motioneye/motioneye/config.py` → `restore()`\n\n**Issue:** `tar zxC CONF_PATH` is used on user‑supplied data without sanitizing entries. A crafted tar can drop executable files into `CONF_PATH`.\n\n### 4) Unauthenticated action execution\n**File:** `motioneye/motioneye/handlers/action.py` → `post()`\n\n**Issue:** No authentication decorator is present. It executes `<action>_<camera_id>` found in `CONF_PATH` with `subprocess.Popen`.\n\n---\n\n## Exploit Chain (Detailed)\n\n1. **Create or find a local motion camera id** (local motion cameras are required for the vulnerable LFI path).\n2. **LFI via picture download**:\n - Request: `/picture/<id>/download/<absolute_path>`\n - Example: `/picture/1/download/%2Fetc%2Fhosts`\n - Result: Arbitrary file read.\n3. **Read admin hash** from `/etc/motioneye/motion.conf`:\n - Contains `@admin_password <SHA1_HASH>`.\n4. **Pass‑the‑hash admin**:\n - Compute signature for `/config/restore?_username=admin` using the **hash** as key.\n - Admin access is accepted with hash‑based signatures.\n5. **Restore malicious tar**:\n - Upload a tar containing `lock_<id>` (or any action) as an executable.\n - File is written into `CONF_PATH` by restore.\n6. **Trigger unauth action**:\n - POST `/action/<id>/lock`\n - The server executes the injected file.\n\n---\n\n## Proof of Execution (Observed Output)\nIn local testing, the injected action created a marker file:\n\n```\n/tmp/meye_rce_ok\n```\n\nVerification command:\n```\ndocker exec -it motioneye ls -la /tmp | grep meye_rce_ok\n```\nExample output:\n```\n-rw-r--r-- 1 root root 0 ... /tmp/meye_rce_ok\n```\n\n---\n\n## Preconditions / Requirements\n\n- At least **one local motion camera** exists (e.g., `netcam_url`, `videodevice`).\n- `picture/<id>/download` is reachable:\n - **Unauth** if `@normal_password` is empty (default in some installs).\n - **Auth required** if normal password is set (attacker needs normal creds).\n\n---\n\n## Impact\n- **Unauth RCE** (normal password unset).\n- **Authenticated RCE** (normal user → admin → RCE).\n- Arbitrary file read on server filesystem.\n- Full compromise of motionEye process account.\n\n---\n\n## Suggested Fixes\n1. **Block absolute paths** in `get_media_content()` and `get_media_path()`.\n2. **Remove hash‑based signature acceptance**; only accept signatures computed with plaintext passwords.\n3. **Harden restore**: reject absolute paths, `..`, symlinks, non‑regular files.\n4. **Require authentication** on `ActionHandler` (admin‑only).",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "PyPI",
19+
"name": "motioneye"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.44.0"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-qxvg-h7q2-hcxh"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/motioneye-project/motioneye"
44+
}
45+
],
46+
"database_specific": {
47+
"cwe_ids": [
48+
"CWE-22",
49+
"CWE-269",
50+
"CWE-306",
51+
"CWE-347",
52+
"CWE-434"
53+
],
54+
"severity": "CRITICAL",
55+
"github_reviewed": true,
56+
"github_reviewed_at": "2026-06-23T18:53:04Z",
57+
"nvd_published_at": null
58+
}
59+
}

0 commit comments

Comments
 (0)