SoapUI 5.3.0 Code Execution

2018.02.12
Credit: Ismail Doe
Risk: High
Local: No
Remote: Yes
CWE: N/A

Document Title: =============== SoapUI Arbitrary Code Execution via Malicious Project Product Description: =============== SoapUI is the world's most widely-used testing tool for SOAP and REST APIs. Write, run, integrate, and automate advanced API Tests with ease. Homepage: https://www.soapui.org/ PoC: =============== 1) User Imports a malicious project file that contains a request with a malicious end point (Java code that gets executed) 2) User submits the request 3) Code executes Stack trace of code execution: at java.lang.ProcessBuilder.start(ProcessBuilder.java:1041) at java.lang.Runtime.exec(Runtime.java:617) at java.lang.Runtime.exec(Runtime.java:450) at java.lang.Runtime.exec(Runtime.java:347) at java_lang_Runtime$exec.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray. defaultCall(CallSiteArray.java:45) at org.codehaus.groovy.runtime.callsite.AbstractCallSite. call(AbstractCallSite.java:108) at org.codehaus.groovy.runtime.callsite.AbstractCallSite. call(AbstractCallSite.java:116) at Script3.run(Script3.groovy:1) at com.eviware.soapui.support.scripting.groovy. SoapUIGroovyScriptEngine.run(SoapUIGroovyScriptEngine.java:90) at com.eviware.soapui.model.propertyexpansion.resolvers. EvalPropertyResolver.doEval(EvalPropertyResolver.java:163) at com.eviware.soapui.model.propertyexpansion.resolvers. EvalPropertyResolver.resolveProperty(EvalPropertyResolver.java:143) at com.eviware.soapui.model.propertyexpansion.PropertyExpander.expand( PropertyExpander.java:199) at com.eviware.soapui.model.propertyexpansion.PropertyExpander. expandProperties(PropertyExpander.java:133) at com.eviware.soapui.impl.wsdl.WsdlRequest.submit(WsdlRequest.java:208) at com.eviware.soapui.impl.wsdl.panels.request. AbstractWsdlRequestDesktopPanel.doSubmit(AbstractWsdlRequestDesktopPane l.java:141) CVE-2017-16670


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top