Executive summaryA critical vulnerability has been identified in the Yi IOT XY-3820 (v6.0.24.10) smart camera platform, specifically within its embedded daemon process. The service, exposed on TCP port 6789, fails to properly sanitize user-supplied input, enabling remote unauthenticated attackers to execute arbitrary commands present on the file system via path traversal techniques. Successful exploitation leads to unauthorized code execution with elevated privileges.
Introduction & Context
The vulnerable binary, named "daemon", is a core component responsible for:
Handling communication between the main application (anika_ipc) and the web interface.
Transmitting video feeds and processing control commands (e.g., camera rotation).
Starting at boot and listening on the following ports:
TCP 6789 for command handling.
UDP 8192 for media stream transfer.
Vulnerability Details
Each TCP request sent to port 6789 is processed by the daemon_parse_exec function.
Figure 1 : image
Within this function:
The payload is parsed and expected to form a valid path to a script.
However, **relative paths such as "../" are not filtered, allowing for directory traversal.
Then, the input (starting from the 6th byte of the payload) is concatenated with a base path to form the final script execution path.
Figure 2 : image
This concatenated path is executed with root privileges using
Figure 3 : image
Proof of Concept (PoC)
To exploit this vulnerability, send the following payload via a raw TCP connection to port 6789:
Code12 12 ../../../usr/bin/cmd
No newline or carriage return is required. This payload instructs the daemon to execute the /usr/bin/cmd binary.
Figure 4 : image
After successful execution, the device opens port 999, which is indicative of the cmd process being launched.
Figure 5 : image
Risk and Impact
Remote Unauthenticated Command Execution
Root-level Privileges Gained
Persistence Capabilities for Malware
Full Takeover of Camera Functions & Streams
Potential Entry Point into Local Network
Acknowledgements
This vulnerability was discovered by Yassine Damiri. The research helps improve awareness around the security risks posed by weak input validation and serves as a basis for further security improvements.
Disclaimer
This repository is intended for educational and ethical hacking purposes only. Unauthorized access to devices or systems is illegal. Always obtain proper authorization before conducting security testing.
