motionEye Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal
Unauthenticated attackers can exploit a path traversal vulnerability in motionEye versions prior to 0.44.0 to read the application's configuration file, steal the admin SHA-1 password hash, and achieve full administrative access, leading to remote code execution.
A critical vulnerability exists in motionEye versions prior to 0.44.0, enabling unauthenticated attackers to gain full administrative access and remote code execution. This is achieved by chaining two issues: a default configuration allowing unauthenticated access to normal-user endpoints when the normal user password is empty, and a path traversal vulnerability in several handlers (e.g., MoviePlaybackHandler). By exploiting the path traversal, an attacker can read the motion.conf file, which contains the admin password as a SHA-1 hash. This hash can then be used directly as a signing key to bypass authentication and gain full admin privileges without cracking. The scenario is realistic for home surveillance setups where the admin password protects settings, but camera feeds are left open for household members, making affected instances vulnerable to complete compromise.
Attack Chain
- Reconnaissance & Initial Access: An attacker identifies a motionEye instance configured with an empty normal user password (default setting), allowing unauthenticated access to normal-level endpoints.
- Path Traversal Exploitation: The attacker crafts and sends an unauthenticated HTTP GET request to a vulnerable handler, such as
/movie/1/playback//etc/motioneye/motion.conf, leveraging the path traversal vulnerability. - Information Disclosure: The motionEye server's
MoviePlaybackHandler(or similar) processes the malicious path, bypassing intended directory restrictions due to overridden safety checks, and reads themotion.conffile from the filesystem. - Credential Theft: The server's response contains the content of
motion.conf, from which the attacker extracts the admin password's SHA-1 hash, stored as a comment line (e.g.,# @admin_password 7b7d...). - Authentication Bypass: The attacker uses the stolen SHA-1 hash directly as a signing key by setting the
meye_password_hashcookie, authenticating as an administrator to the motionEye web interface. - Privilege Escalation & Remote Code Execution: With full admin access, the attacker leverages the configuration API to inject arbitrary shell commands into motion event hooks (e.g.,
command_notifications_exec), which are then executed by the underlyingmotiondaemon with the privileges of the motionEye process, achieving RCE.
Impact
This vulnerability leads to a severe privilege escalation from zero credentials to full admin access on any motionEye installation where the admin password is set but the normal user password is left empty (a common default configuration). Attackers can achieve arbitrary file read, potentially accessing sensitive files like /etc/passwd or SSH keys, if permissions allow. The most critical impact is full remote code execution, as administrative control allows injecting and executing arbitrary shell commands via motion event hooks. This represents a significant security risk for compromised surveillance systems, with public instances easily discoverable via search engines like Shodan.
Recommendation
- Patch motionEye: Immediately upgrade all motionEye installations to version 0.44.0 or higher to remediate the path traversal vulnerability.
- Configure Passwords: If possible, set a non-empty password for the normal user account to prevent unauthenticated access to normal-level endpoints, reducing the attack surface.
- Deploy Detection Rule: Deploy the provided Sigma rule to your SIEM to detect attempts at path traversal for configuration files.
- Monitor Web Server Logs: Actively monitor web server access logs for unusual GET requests containing absolute file paths, particularly those targeting sensitive configuration files or unexpected locations.
Detection coverage 1
Detect motionEye Unauthenticated Path Traversal for motion.conf
highDetects attempts to exploit the path traversal vulnerability (GHSA-phv5-334h-mxcw) in motionEye by attempting to read the motion.conf file via web server handlers like MoviePlaybackHandler.
Detection queries are available on the platform. Get full rules →