<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Motioneye - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/motioneye/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 10:57:41 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/motioneye/feed.xml" rel="self" type="application/rss+xml"/><item><title>motionEye: LFI → Pass-the-Hash Admin → Unsafe Restore → Unauthenticated Action Execution (RCE)</title><link>https://feed.craftedsignal.io/briefs/2026-07-motioneye-rce-chain/</link><pubDate>Fri, 03 Jul 2026 10:57:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-motioneye-rce-chain/</guid><description>An attacker can chain multiple vulnerabilities in motionEye, including an arbitrary file read (LFI), a signature bypass using password hashes, and an unsafe configuration restore, to achieve unauthenticated remote code execution (RCE) if the normal user password is unset, or authenticated RCE from a normal user account.</description><content:encoded><![CDATA[<p>A critical multi-stage vulnerability chain in motionEye, affecting versions prior to 0.44.0, allows for unauthenticated remote code execution (RCE) under specific conditions. Attackers can exploit an arbitrary file read (Local File Inclusion or LFI) via the <code>picture/&lt;id&gt;/download</code> endpoint, specifically for local motion cameras, to extract sensitive configuration data like the admin password hash. This hash can then be used to forge authentication signatures, granting admin access without the plaintext password (a &quot;pass-the-hash&quot; technique). Subsequently, an unsafe configuration restore function, which extracts attacker-controlled tarballs into the <code>CONF_PATH</code> without proper sanitization, can be abused to drop malicious executables. Finally, an unauthenticated action execution endpoint allows for the immediate execution of these injected files, leading to full system compromise. This chain can be exploited unauthenticated if the normal user password is unset, or as an authenticated normal user to escalate to RCE.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Identify Local Camera ID</strong>: The attacker first identifies or creates a local motion camera ID, which is a prerequisite for exploiting the vulnerable LFI path in <code>picture/&lt;id&gt;/download</code>.</li>
<li><strong>Arbitrary File Read (LFI)</strong>: The attacker sends a request to <code>/picture/&lt;id&gt;/download/&lt;absolute_path&gt;</code> (e.g., <code>/picture/1/download/%2Fetc%2Fhosts</code>) to read arbitrary files from the motionEye server's filesystem.</li>
<li><strong>Extract Admin Hash</strong>: Using the LFI, the attacker reads the motionEye configuration file (e.g., <code>/etc/motioneye/motion.conf</code>) to obtain the SHA1 hash of the <code>@admin_password</code>.</li>
<li><strong>Achieve Admin Access</strong>: The attacker computes a valid authentication signature for <code>/config/restore?_username=admin</code> using the stolen admin password hash as the key, bypassing standard authentication and gaining administrative privileges.</li>
<li><strong>Upload Malicious Archive</strong>: The attacker uploads a crafted tar archive containing an executable file named <code>lock_&lt;id&gt;</code> (or any valid action for a camera ID) via the now-accessible <code>/config/restore</code> endpoint. This executable is extracted into <code>CONF_PATH</code>.</li>
<li><strong>Execute Malicious Action</strong>: The attacker sends an unauthenticated POST request to <code>/action/&lt;id&gt;/lock</code>. The motionEye server executes the previously injected <code>lock_&lt;id&gt;</code> file via <code>subprocess.Popen</code>, resulting in remote code execution.</li>
<li><strong>Impact</strong>: The injected action creates a marker file <code>/tmp/meye_rce_ok</code>, confirming successful remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability chain leads to critical consequences. If the normal user password is unset (a common default in some installations), an unauthenticated attacker can achieve full Remote Code Execution (RCE) on the motionEye server. If a normal user password is set, an authenticated normal user can escalate their privileges to admin and then achieve RCE. This allows for arbitrary file read on the server's filesystem and full compromise of the motionEye process account, potentially leading to data exfiltration, service disruption, or further network penetration. The impact in observed testing included creating arbitrary files on the filesystem.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch motionEye</strong>: Immediately update all motionEye installations to version 0.44.0 or newer to address the vulnerabilities in <code>motioneye/motioneye/handlers/picture.py</code>, <code>motioneye/motioneye/mediafiles.py</code>, <code>motioneye/motioneye/handlers/base.py</code>, <code>motioneye/motioneye/config.py</code>, and <code>motioneye/motioneye/handlers/action.py</code>.</li>
<li><strong>Implement Rule <code>motioneye_rce_action_execution</code></strong>: Deploy the provided Sigma rule to detect suspicious process creation originating from the <code>motioneye</code> service account, indicating potential RCE.</li>
<li><strong>Review <code>CONF_PATH</code> Permissions</strong>: Ensure that the <code>CONF_PATH</code> (typically <code>/etc/motioneye</code>) has restrictive write permissions, limiting write access only to the necessary motionEye process account.</li>
<li><strong>Regularly Review motionEye Logs</strong>: Monitor <code>motioneye</code> service logs for unusual activity, especially for failed authentication attempts, unexpected file accesses, or process creations from the <code>motioneye</code> user.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>RCE</category><category>LFI</category><category>motioneye</category><category>vulnerability</category><category>unauthenticated</category><category>privilege-escalation</category></item></channel></rss>