A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways.
CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package’s “helper protocol.”
“The application is able to scan the system and user directories, looking for unused and leftover files and applications,” explained Cisco in the advisory, issued Wednesday. “The application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.”
As such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation – thus giving those applications root access.
CVE-2018-4032 for instance has to do with the “moveItemAtPath” function, according to the advisory: “If the attacker supplies `nil` in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.”
A second vulnerability, CVE-2018-4033, exists in the “moveToTrashItemAtPath” function.
“If an attacker enters `nil` into the function’s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system,” according to the advisory.
Three flaws allow attackers to cross a privilege boundary and delete files from the root file system: The “removeItemAtPath” function (CVE-2018-4034); the “truncateFileAtPath” function (CVE-2018-4035); and the “removeKextAtPath” function (CVE-2018-4036).
Other helper protocol functions allow a non-root user to delete the main log data from the system: CVE-2018-4037 exists in the “removeDiagnosticsLogs” function; CVE-2018-4041 exists in the “enableLaunchdAgentAtPath” function; and CVE-2018-4042 is present in the “removeLaunchdAgentAtPath” function.
The “removeASL” function meanwhile also has a vulnerability (CVE-2018-4043) that would allow non-root users to delete a package’s privileged information.
“This process calls out and stops the system daemon for logging and also stops the Apple System Log facility,” according to the advisory. “As both of these are root daemons, this creates a privilege issue.”
CVE-2018-4044 in the “removePackageWithID” function allows an attacker to utilize the “—forget” command when calling this function to delete all receipt information about a particular installed package. Again, there is no validation of the calling application in this scenario, so any application could access the function.
CVE-2018-4045 within the “securelyRemoveItemAtPath” function of the helper protocol exists because a user-supplied argument is passed into this function when executed, allowing non-root users to delete files from the root file system.
And finally, CVE-2018-4047 in the “disableLaunchdAgentAtPath” function of the helper protocol calls “launchtl” and unloads the script from the provided location. Any non-root users could uninstall `launchd` scripts as root.
CVE-2018-4046 meanwhile is different: This is a denial-of-service vulnerability in the “pleaseTerminate” function of the helper service; when executing the function, the process terminates itself; therefore, non-root users can terminate the root daemon.
Users should update to CleanMyMac X version 4.2.0, which patches the flaws.