CVE-2018-19244 in Charles
Summary
by MITRE
An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2020
The vulnerability identified as CVE-2018-19244 represents a critical XML External Entity flaw within the Charles Proxy software version 4.2.7. This issue specifically affects the application's import/export functionality where users can load configuration files using the .xml format. The vulnerability stems from insufficient input validation and sanitization of XML content during the import process, creating an attack surface that allows malicious actors to manipulate the application's behavior through crafted XML payloads. The flaw exists in the Charles Settings.xml file handling mechanism, which processes user-supplied XML data without proper restrictions on external entity resolution.
From a technical perspective, the XXE vulnerability operates by enabling an attacker to define external entities within the XML document that reference internal network resources or external servers. When the vulnerable Charles application processes the malicious XML file, it attempts to resolve these external entities, potentially leading to unauthorized network access or information disclosure. The vulnerability is particularly concerning because it requires user interaction through the import function, making it a client-side attack vector that can be delivered via social engineering or malicious file sharing. The attack leverages the XML parsing capabilities of the underlying application framework, exploiting the lack of proper XML schema validation and entity resolution controls.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable attackers to perform various malicious activities within the network environment. An attacker could construct XML payloads that attempt to access internal network services, retrieve sensitive data from local resources, or even perform server-side request forgery attacks against internal systems. The vulnerability affects users who regularly import configuration files from untrusted sources, making it particularly dangerous in enterprise environments where configuration sharing is common. The attack scenario typically involves an attacker crafting a malicious Charles Settings.xml file that, when imported by a victim, triggers the XXE processing and allows unauthorized access to the target network resources.
Security professionals should note that this vulnerability aligns with CWE-611, which specifically addresses Improper Restriction of XML External Entity Reference, and maps to ATT&CK technique T1059.007 for XML External Entity Processing. The recommended mitigation strategies include implementing strict XML parsing controls that disable external entity resolution and parameter entity expansion. Users should avoid importing configuration files from untrusted sources and should always validate the integrity of imported files through checksum verification or digital signatures. Software vendors should implement proper input validation, employ secure XML parsers with restricted entity resolution, and consider implementing sandboxing mechanisms for processing external configuration files. Additionally, network segmentation and firewall rules should be configured to limit access to internal resources from the application environment, reducing the potential impact of successful exploitation attempts.