MotionEye OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in MotionEye versions through 0.43.1b4. The issue arises from unsanitized user input in configuration parameters, such as 'image_file_name', which is written to Motion configuration files. This vulnerability allows remote authenticated attackers with admin access to execute arbitrary code when Motion is restarted.

Impact

Exploitation of this vulnerability leads to remote code execution on the server where MotionEye is running.

Reproduction

The vulnerability can be reproduced by uploading a payload containing shell commands into the 'Image File Name' configuration parameter. After applying the settings, the payload is executed when the Motion service is restarted.

Remediation

Users can manually sanitize the 'image_file_name' parameter to remove any potentially harmful characters before uploading it. Additionally, a patch is available that modifies the MotionEye configuration file to include proper input sanitization.