Wednesday, January 15, 2014

SoapUI Code Execution Vulnerability - CVE-2014-1202

In this blog post I will discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4 (CVE-2014-1202).
I discovered this vulnerability during a penetration test in which I saw that the SoapUI software allows the clients to execute a Java code on the local machine by putting a Java code inside the following tag:

${=JAVA CODE};

The vulnerability allows the attacker to execute the java code on the victim's machine, thereby putting in danger the SoapUI users, including developers, penetration testers, etc.

The SoapUI product allows users to open a SOAP / REST project and import  WSDL/WADL files that help the users to communicate with the remote server easily.
WSDL/WADL files are XML-based grammar that define the operations that a web service offers and the format of the request and response messages that the client sends to and receives from the operations.
In WSDL/WADL files, the file owner can determine the default values of some parameters. Thus, an attacker can impersonate a legitimate web service and inject a malicious Java code into a default value of one of the parameters, and spread it to SoapUI clients.
When a SoapUI client will load a malicious WSDL/WADL file to his project in the SoapUI software, and send a request containing the malicious Java code, the SoapUI will execute the malicious Java code on the victim's computer.

The attack scenario:
1. An attacker impersonates a regular web service with a malicious WSDL containing the malicious Java code.
2. The victim creates a new project in the SoapUI and loads the malicious WSDL.
3. The victim decides to send a request to the remote server, thus, the SoapUI executes the malicious Java code.
4. The attacker succeeds in executing malicious code in the victim's machine and will take it over.

A Proof of Concept (PoC) video can be found at the following link:
                    
An example of a malicious WSDL file can be found at the following link:

2 comments:

  1. nice one!
    how did you discovered it btw? how is that code actually executed anyway?


    ReplyDelete
    Replies
    1. Thanks.
      The software allows the clients generate random numbers for dynamic properties and i noticed that its actually a Java code.
      The Java code executes when the client sends the request to the server.

      Delete