CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:C/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%
An exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
Clean My Mac X 4.04
<https://macpaw.com/cleanmymac>
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-19: Improper Input Validation
Clean My Mac X is an all in one Mac cleaning tool. The application is able to scan through system and user directories looking for unused and leftover files and applications. The applications also markets ability to help detect and prevent viruses and malware on OS X. To get all of this work done they utilize a privilege helper tool running as root. This allows the application to remove and modify system files.
The vulnerability arises in removeASL
functionality of the helper protocol. The code for this function is shown below:
v5 = objc_retain(a3);
if ( !+[CMLaunchdManager stopAgentWithLabel:]( [0]
&OBJC_CLASS___CMLaunchdManager,
"stopAgentWithLabel:",
CFSTR("com.apple.syslogd"),
v4) )
{
v11 = "Failed to stop com.apple.syslogd";
goto LABEL_11;
}
if ( !+[CMLaunchdManager stopAgentWithLabel:]( [1]
&OBJC_CLASS___CMLaunchdManager,
"stopAgentWithLabel:",
CFSTR("com.apple.aslmanager")) )
{
v11 = "Failed to stop com.apple.aslmanager";
goto LABEL_11;
}
v6 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager");
v7 = objc_retainAutoreleasedReturnValue(v6);
v8 = objc_msgSend(v7, "removeContentsOfDirectoryAtPath:", CFSTR("/var/log/asl")); [2]
objc_release(v7);
At location [0], the process calls out and stops the system daemon for logging and at location [1], does the same thing for Apple System Log facility. As both of these are root daemons this creates a privilege issue. At location [2] all logs stored by the Apple System Log facility are then deleted crossing another privilege boundary as all these logs are protected by root. There is no validation of the calling application thus any application is able to access this function. This crosses a privilege boundary allowing non-root users to delete privileged information about a package.
Included with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.
2018-11-20 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:C/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%