Intelligence
highVulnerabilityActive

motionEye Authentication Bypass via Path Traversal and SHA-1 Hash Reuse

A chain of two authentication design flaws allows unauthenticated attackers to read the admin configuration file and reuse the SHA-1 password hash directly as an API signing key, bypassing authentication entirely when normal user password is left empty (default configuration).

S
Sebastion

Affected

motionEye (version unspecified in advisory)

Vulnerability Description

The vulnerability exploits a logical authentication bypass combined with insecure cryptographic design. The root cause stems from two independent flaws: (1) the application grants 'normal' user access when both username and normal_password are empty, and (2) the admin password hash stored in the configuration file is directly accepted as an API signing key without additional salting or validation. This violates the principle of separation between stored secrets and authentication tokens. The impact is complete administrative access to the motionEye system (camera control, settings modification, potential command execution through built-in functionality).

PoC Significance

The proof-of-concept is significant because it demonstrates a realistic attack chain against default installations. The precondition—normal user password left empty—is explicitly noted as the default configuration, making this highly likely to affect real deployments. The PoC proves that path traversal can be leveraged to exfiltrate the configuration file, and that SHA-1 hashes are cryptographically reusable as authentication material. This is not a theoretical attack; the advisory explicitly states the hash is "accepted directly as a signing key" with "no cracking required."

Detection Guidance

Log Indicators:

  • Unauthenticated HTTP requests to sensitive endpoints (e.g., /api/config, /settings) from non-local IPs when normal_password is empty
  • Admin API requests using SHA-1 formatted credentials (typically 40 hex characters) originating from unexpected sources
  • Repeated 401/403 followed by successful authentication with hash-like credentials
  • File access logs showing reads of motioneye/config.py or configuration files via path traversal patterns (../, ..%2F)

Signature Patterns:

  • HTTP requests containing encoded path traversal sequences targeting config files
  • API requests with Authorization headers matching SHA-1 hash format

Mitigation Steps

  1. Immediate: Set a strong normal user password (do not leave empty); this blocks unauthenticated configuration file access
  2. Patch: Upgrade to a patched version once available; verify the fix includes:
    • Rejecting unauthenticated requests even when normal_password is empty
    • Removing hash-as-signing-key functionality; use proper session tokens or salted HMAC validation
    • Input validation to prevent path traversal
  3. Hardening: Restrict network access to motionEye admin interfaces; use firewall rules to block external access
  4. Monitoring: Enable audit logging for authentication attempts and configuration file reads

Risk Assessment

Likelihood: High in the wild. The default configuration (empty normal_password) is explicitly documented as the intended default, and many home/small-business installations likely follow this pattern to allow casual household access to feeds. The attack requires only network access to the HTTP interface and no advanced exploitation techniques.

Threat Actor Interest: High. This provides low-friction access to surveillance system controls, enabling camera disabling, feed manipulation, or leveraging built-in command execution features. Nation-state and organized crime actors targeting infrastructure or residences would find value in this.

Temporal Risk: Acute until patches are released and deployed. No evidence of active exploitation in the wild has been disclosed, but the simplicity of the attack vector suggests it will be adopted quickly once public.

Sources

pocauthentication-bypasspath-traversalcredential-theftdefault-configurationhash-reusemotionEye
Back to intelligence