i-doit Pro v25 and below weak password & add-on upload to RCE, CVE-2023–37756
I-Doit’s Pro V25 exhibits a vulnerability related to weak password requirements, allowing the configuration of extremely weak admin password, potentially even as short as a single character.
In addition, the application is susceptible to a plugin upload flaw, which can enable malicious actors to execute arbitrary OS commands and PHP programs on the system, leveraging the application’s privileges.
Product Description: i-doit is a web-based and open-sourced Configuration and Management Database, CMDB, published by Synetics GmbH.
Affected path: /admin/
The following payloads were tested on i-doit Pro v25
Payload demonstration:
- The following screenshot demonstrates the ability to set a one-character password on the admin portal.
2. We can log in successfully using it.
3. The admin interface includes an add-on upload feature.
4. After downloading and decompressing an add-on, our plan is to inject a malicious payload into it.
5. The following screenshot illustrates the insertion of a malicious payload into the initial script of the add-on.
6. The add-on has been packed for future uploading.
7. The following screenshot demonstrates the successful uploading and activation of the add-on containing the malicious payload.
8. A reverse shell was automatically initiated upon the initialization of the add-on.