i-doit Pro v25 and below weak password & add-on upload to RCE, CVE-2023–37756

I-Doit’s Pro V25 exhibits a vulnerability related to weak password requirements, allowing the configuration of extremely weak admin password, potentially even as short as a single character.
In addition, the application is susceptible to a plugin upload flaw, which can enable malicious actors to execute arbitrary OS commands and PHP programs on the system, leveraging the application’s privileges.

Product Description: i-doit is a web-based and open-sourced Configuration and Management Database, CMDB, published by Synetics GmbH.

Affected path: /admin/

The following payloads were tested on i-doit Pro v25

Payload demonstration:

1. The following screenshot demonstrates the ability to set a one-character password on the admin portal.

A single-character password can be set on the admin portal

2. We can log in successfully using it.

Login to the admin portal with the one-character password

3. The admin interface includes an add-on upload feature.

The add-on upload feature

4. After downloading and decompressing an add-on, our plan is to inject a malicious payload into it.

A decompressed add-on

5. The following screenshot illustrates the insertion of a malicious payload into the initial script of the add-on.

Malicous payload in an add-on

6. The add-on has been packed for future uploading.

Pack the add-on for later upload

7. The following screenshot demonstrates the successful uploading and activation of the add-on containing the malicious payload.

Successfully uploaded the add-on contains malicous payload

8. A reverse shell was automatically initiated upon the initialization of the add-on.

Reverse shell was initialized after add-on been uploaded