Yi IOT XY-3820 Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Yi IOT XY-3820 camera model, specifically in the version 6.0.24.10. The issue arises within the daemon process, which exposes a TCP service on port 6789. This service fails to validate input properly, allowing remote attackers to execute arbitrary scripts stored on the device by sending specially crafted TCP requests that exploit directory traversal vulnerabilities. The executed commands run with root privileges, potentially compromising the device and its network.

Impact

Exploitation of this vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with root privileges on the affected device. This could lead to a complete takeover of the camera, including its functions and video streams, and could serve as an entry point into the local network.

Reproduction

To reproduce this vulnerability, send a TCP packet to port 6789 that includes a directory traversal payload, such as '../../../usr/bin/cmd'. This payload exploits the lack of input validation by traversing directories to access the 'cmd' binary, which, when executed, opens a new service on port 999 that allows for further command execution with root privileges.

Remediation

Currently, no official patch is available. It is recommended to block incoming traffic on ports 6789 and 999 using a firewall, isolate affected devices on a separate VLAN, and monitor network traffic for unusual activity.