Document Title: =============== SoapUI Arbitrary Code Execution via Malicious Project Product Description: =============== SoapUI is the world's most widely-used testing tool for SOAP and REST APIs. Write, run, integrate, and automate advanced API Tests with ease. Homepage: https://www.soapui.org/ PoC: =============== 1) User Imports a malicious project file that contains a request with a malicious end point (Java code that gets executed) 2) User submits the request 3) Code executes Stack trace of code execution: at java.lang.ProcessBuilder.start(ProcessBuilder.java:1041) at java.lang.Runtime.exec(Runtime.java:617) at java.lang.Runtime.exec(Runtime.java:450) at java.lang.Runtime.exec(Runtime.java:347) at java_lang_Runtime$exec.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray. defaultCall(CallSiteArray.java:45) at org.codehaus.groovy.runtime.callsite.AbstractCallSite. call(AbstractCallSite.java:108) at org.codehaus.groovy.runtime.callsite.AbstractCallSite. call(AbstractCallSite.java:116) at Script3.run(Script3.groovy:1) at com.eviware.soapui.support.scripting.groovy. SoapUIGroovyScriptEngine.run(SoapUIGroovyScriptEngine.java:90) at com.eviware.soapui.model.propertyexpansion.resolvers. EvalPropertyResolver.doEval(EvalPropertyResolver.java:163) at com.eviware.soapui.model.propertyexpansion.resolvers. EvalPropertyResolver.resolveProperty(EvalPropertyResolver.java:143) at com.eviware.soapui.model.propertyexpansion.PropertyExpander.expand( PropertyExpander.java:199) at com.eviware.soapui.model.propertyexpansion.PropertyExpander. expandProperties(PropertyExpander.java:133) at com.eviware.soapui.impl.wsdl.WsdlRequest.submit(WsdlRequest.java:208) at com.eviware.soapui.impl.wsdl.panels.request. AbstractWsdlRequestDesktopPanel.doSubmit(AbstractWsdlRequestDesktopPane l.java:141) CVE-2017-16670