motionEye Remote Code Execution Vulnerability in add_camera Web API

A remote code execution vulnerability has been identified in motionEye versions 0.43.1b1 through 0.43.1b3. The issue arises in the add_camera function of the motionEye web API, where a crafted camera device path can be used to execute arbitrary commands in a non-interactive shell. This execution occurs as the motionEye run user, which is 'motion' by default. The vulnerability is triggered by sending a POST request to the 'config/add' endpoint with a specially formatted device path that exploits command substitution.

Impact

Exploitation of this vulnerability allows authenticated users with motionEye admin credentials to execute arbitrary commands on the server where motionEye is running, as the 'motion' user.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'config/add' endpoint of the motionEye web API, including a crafted device path that takes advantage of the command execution flaw. This can be done using a Docker container running motionEye 0.43.1b3, with the necessary volumes and ports configured. After the motionEye server is running, the vulnerable endpoint can be accessed and exploited.

Remediation

Users can upgrade to motionEye version 0.43.1b4, where this vulnerability has been patched. Alternatively, the patch can be applied manually by replacing the single quotes in the command string with a safely quoted input device.