CVE-2017-15358
Description
Race condition in the Charles Proxy Settings suid binary in Charles Proxy before 4.2.1 allows local users to gain privileges via vectors involving the --self-repair option.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Charles Proxy's suid binary allows local users to escalate privileges to root via the --self-repair option.
Vulnerability
The Charles Proxy Settings suid binary in Charles Proxy before version 4.2.1 contains a race condition. The binary supports a --self-repair option that re-sets root+suid permissions on itself. It does not validate its own path and uses a simple API call to get the path at invocation time, creating a race window between execution and the permission-setting code [1][2].
Exploitation
A local attacker can exploit this by executing the suid binary with --self-repair and, during the race window, replacing the binary's path with a malicious payload. The attacker must have local access and be able to compile a small C program that sets uid to 0 and executes /bin/bash. The exploit script provided in the references demonstrates the steps: compile the payload, then run the Charles binary with --self-repair while simultaneously replacing the binary with the payload [1][2].
Impact
Successful exploitation grants the attacker a root shell, leading to full system compromise. The attacker gains root privileges, allowing arbitrary code execution with the highest privileges [1][2].
Mitigation
The issue was fixed in Charles Proxy version 4.2.1, released in November 2017. Users should upgrade to 4.2.1 or later. No workaround is mentioned in the available references [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <4.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Race condition: the suid binary does not validate its own path before applying root+suid permissions, allowing an attacker to swap the file during execution."
Attack vector
A local attacker exploits a race condition in the Charles Proxy Settings suid binary. The attacker creates a symlink to the real binary, then executes it with the `--self-repair` flag. Because the binary is already root+suid, no password dialog is shown. During the race window between execution and the code path that sets root+suid permissions, the attacker replaces the symlink with a malicious payload. The binary then applies root+suid permissions to the attacker's payload instead of itself, granting the attacker a root shell [ref_id=1].
Affected code
The vulnerable suid binary is located at `/Applications/Charles.app/Contents/Resources/Charles Proxy Settings`. The binary supports a `--self-repair` option that re-sets root+suid permissions on itself. The flaw is that the binary does not validate the path to itself; it uses a simple API call to get the path at the time it was invoked, allowing a race window where the path can be replaced with a malicious payload [ref_id=1].
What the fix does
The issue was fixed in Charles 4.2.1 released in November 2017 [ref_id=1]. The advisory does not include a patch diff, but the fix presumably validates the binary's own path before applying suid+root permissions, closing the race window that allowed an attacker to swap the file underneath the running binary [ref_id=1].
Preconditions
- authAttacker must have local user access to the macOS system
- configThe Charles Proxy Settings binary must already be root+suid (so --self-repair skips the password dialog)
- inputAttacker must be able to create symlinks and move files in the same directory as the binary
Reproduction
The public exploit (https://www.exploit-db.com/exploits/45107/) provides a bash script that compiles a small C payload (setuid(0); execl("/bin/bash",...)), creates a symlink to the real Charles binary, launches it with `--self-repair`, replaces the symlink with the compiled payload, and polls until the payload receives root permissions, then executes it to spawn a root shell [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/45107/mitreexploitx_refsource_EXPLOIT-DB
- m4.rkw.io/blog/cve201715358-local-root-privesc-in-charles-proxy-42.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.