motionEye's World-Readable Configuration File Exposes Admin Password Hash

Description

# Security Advisory: World-Readable Configuration File Exposes Admin Password Hash in motionEye ## Summary motionEye v0.43.1 and prior versions create the configuration file `/etc/motioneye/motion.conf` with `644` permissions (`-rw-r--r--`), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. ## Affected Versions - motionEye <= 0.43.1b4 - Fixed in motionEye 0.44.0b1 (applies `0600` mode to `motion.conf` and `camera-*.conf` files) ## Vulnerability Details ### World-Readable Configuration File (CWE-732) When motionEye writes its configuration, the file `/etc/motioneye/motion.conf` is created with `644` permissions regardless of the installation method. This file contains the admin password hash in the `@admin_password` field: ``` # @admin_username admin # @admin_password c18006fc138809314751cd1991f1e0b820fabd37 ``` Any local user can read this hash without elevated privileges: ```bash $ sudo -u testuser cat /etc/motioneye/motion.conf # @admin_password c18006fc138809314751cd1991f1e0b820fabd37 ``` Additionally, per-camera configuration files (`camera-*.conf`) are also created with the same `644` permissions, potentially exposing camera-specific credentials and settings. ## Impact The exposed admin password hash enables several attack paths: - **Offline password cracking:** The SHA1 hash can be cracked to recover the plaintext admin password - **Authentication bypass:** When combined with the signature authentication weakness (see GHSA-45h7-499j-7ww3), the hash can be used directly to forge authenticated admin API requests - **Full system compromise:** When further chained with CVE-2025-60787 (OS command injection), a local unprivileged user can escalate to the Motion daemon user (often root) ## Proof of Concept The following demonstrates that an unprivileged user can read the admin password hash from the config file and verify it matches the admin's password: ```bash # Verify the file permissions $ ls -la /etc/motioneye/motion.conf -rw-r--r-- 1 motion motion 255 Mar 11 15:42 /etc/motioneye/motion.conf # Read the hash as an unprivileged user $ sudo -u testuser cat /etc/motioneye/motion.conf | grep admin_password # @admin_password c18006fc138809314751cd1991f1e0b820fabd37 # Verify the hash matches the admin password (SHA1) $ sudo -u testuser python3 -c "import hashlib; print(hashlib.sha1(b'testpassword123').hexdigest())" c18006fc138809314751cd1991f1e0b820fabd37 ``` ### Verified Output The following output was captured on a fresh motionEye v0.43.1b4 installation (official `motioneye_init` method, admin password set to `testpassword123`): ``` $ ls -la /etc/motioneye/motion.conf -rw-r--r-- 1 motion motion 255 Mar 11 15:42 /etc/motioneye/motion.conf $ sudo -u testuser cat /etc/motioneye/motion.conf | grep admin_password # @admin_password c18006fc138809314751cd1991f1e0b820fabd37 $ sudo -u testuser python3 -c "import hashlib; print(hashlib.sha1(b'testpassword123').hexdigest())" c18006fc138809314751cd1991f1e0b820fabd37 ``` The hash extracted by the unprivileged `testuser` matches the SHA1 of the admin password, confirming full credential exposure. ## Reproduction Steps This vulnerability has been tested and confirmed with both installation methods described in the official motionEye documentation. ### Method 1: Manual Installation 1. Install motionEye on a Linux system: ```bash sudo pip install motioneye mkdir -p /etc/motioneye /var/log/motioneye /var/lib/motioneye /run/motioneye cp /usr/local/lib/python3.12/dist-packages/motioneye/extra/motioneye.conf.sample /etc/motioneye/motioneye.conf sudo meyectl startserver -c /etc/motioneye/motioneye.conf ``` 2. Set an admin password via the web UI at `http://localhost:8765` 3. Verify the config file is world-readable: ```bash ls -la /etc/motioneye/motion.conf # -rw-r--r-- 1 root root 255 ... /etc/motioneye/motion.conf ``` 4. As an unprivileged user, read the hash: ```bash sudo -u testuser cat /etc/motioneye/motion.conf # @admin_password c18006fc138809314751cd1991f1e0b820fabd37 ``` ### Method 2: Official `motioneye_init` Installation 1. Install motionEye using the official init script: ```bash sudo pip install motioneye sudo motioneye_init ``` 2. The `motioneye_init` script automatically creates the required directories, installs the systemd service, and starts motionEye. Set an admin password via the web UI at `http://localhost:8765` 3. Verify the config file is still world-readable: ```bash ls -la /etc/motioneye/motion.conf # -rw-r--r-- 1 motion motion 255 ... /etc/motioneye/motion.conf ``` Note that while the ownership changes to `motion:motion` (instead of `root:root` in the manual method), the permissions remain `644`, meaning any local user can still read the file. 4. Confirm as an unprivileged user: ```bash sudo -u testuser cat /etc/motioneye/motion.conf # @admin_password c18006fc138809314751cd1991f1e0b820fabd37 ``` Both installation methods produce the same vulnerable state, confirming this is the default behavior of the software and not a user misconfiguration. ## Related Vulnerabilities - **GHSA-45h7-499j-7ww3:** Password hash accepted as API signing key (CWE-836), which allows the hash exposed by this vulnerability to be used for forging authenticated admin API requests - **CVE-2025-60787:** OS command injection via `image_file_name`, which requires admin authentication. When chained with both this vulnerability and GHSA-45h7-499j-7ww3, enables local privilege escalation to root ## Suggested Remediation 1. **Fix file permissions:** Create `motion.conf` and `camera-*.conf` with `600` permissions (`-rw-------`), readable only by the motionEye service user (addressed in motionEye 0.44.0b1) ## Timeline - **2026-03-11:** Vulnerability discovered during security research - **2026-03-11:** Vendor notified via GitHub Security Advisory - **2026-03-12:** Vendor acknowledged, confirmed fix in motionEye 0.44.0b1

Affected Packages (1)