CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:C/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%
An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.
Clean My Mac X 4.04
<https://macpaw.com/cleanmymac>
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-19: Improper Input Validation
CleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.
The vulnerability lies in the removeLaunchdAgentAtPath
function of the helper protocol. The code for this function is:
user_input = objc_retain(a3); [0]
v8 = objc_retain(v6);
objc_retain(CFSTR("/Library/LaunchDaemons/com.macpaw.CleanMyMac4.Agent.plist"));
if ( objc_msgSend(user_input, "isEqualToString:", CFSTR("/Library/LaunchDaemons/com.macpaw.CleanMyMac4.Agent.plist"), v5) ) [1]
{
v10 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager");
v11 = objc_retainAutoreleasedReturnValue(v10);
objc_msgSend(
v11,
"removeItemAtPath:error:",
CFSTR("/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent"),
0LL);
objc_release(v11);
v12 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager");
v13 = objc_retainAutoreleasedReturnValue(v12);
objc_msgSend(v13, "removeItemAtPath:error:", user_input, 0LL);
objc_release(v13);
exit(0);
}
v9 = +[CMLaunchdManager removeAgentAtPath:](&OBJC_CLASS___CMLaunchdManager, "removeAgentAtPath:", user_input); [2]
At location [0], the process grabs user input and stores it for later computation. Location [1] shows a check to see if the LaunchDAgent intended to be stopped is the Clean My Mac
agent. If it is, it is deleted and the daemon exits. This daemon runs as root, so killing it arbitrarily crosses a privilege boundary. Again, at location [2], we see a call to removeAgentAtPath
passing in the supplied user argument, thus removing the launched agent. There is no validation of the calling application, therefore, any application is able to access this function. This crosses a privilege boundary, allowing non-root users to delete a packageโs privileged information.
Included with this advisory is an Xcode project, as well as a Python script. The Python script needs an administratorโs password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.
2018-11-20 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:C/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%