In this blog post I will
discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4
(CVE-2014-1202).
I discovered this vulnerability
during a penetration test in which I saw that the SoapUI software allows the
clients to execute a Java code on the local machine by putting a Java code
inside the following tag:
${=JAVA CODE};
The vulnerability allows the attacker to execute the java code on the victim's machine, thereby putting in danger the SoapUI users, including developers, penetration testers, etc.
The SoapUI product allows users
to open a SOAP / REST project and import WSDL/WADL files that help the users to
communicate with the remote server easily.
WSDL/WADL files are XML-based
grammar that define the operations that a web service offers and the format of
the request and response messages that the client sends to and receives from
the operations.
In WSDL/WADL files, the file
owner can determine the default values of some parameters. Thus, an attacker
can impersonate a legitimate web service and inject a malicious Java code into
a default value of one of the parameters, and spread it to SoapUI clients.
When a SoapUI client will load
a malicious WSDL/WADL file to his project in the SoapUI software, and send a
request containing the malicious Java code, the SoapUI will execute the
malicious Java code on the victim's computer.
The attack scenario:
1. An attacker impersonates a regular web service with a malicious
WSDL containing the malicious Java code.
2. The victim creates a new project in the SoapUI and loads the
malicious WSDL.
3. The victim decides to send a request to the remote server,
thus, the SoapUI executes the malicious Java code.
4. The attacker succeeds in executing malicious code in the
victim's machine and will take it over.
A Proof of Concept (PoC) video
can be found at the following link:
An example of a malicious WSDL
file can be found at the following link:
nice one!
ReplyDeletehow did you discovered it btw? how is that code actually executed anyway?
Thanks.
DeleteThe software allows the clients generate random numbers for dynamic properties and i noticed that its actually a Java code.
The Java code executes when the client sends the request to the server.