Tyler Bohan of Cisco Talos discovered these vulnerabilities.


Executive summary

Today, Cisco Talos is disclosing several vulnerabilities in MacPaw’s CleanMyMac X software. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them. In all of these bugs, an attacker with local access to the victim machine could modify the file system as root.

In accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

CleanMyMac X moveItemAtPath privilege escalation vulnerability (TALOS-2018-0705/CVE-2018-4032)

A privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the in the `moveItemAtPath` function of the helper protocol. If the attacker supplies `nil` in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X moveToTrashItemAtPath privilege escalation vulnerability (TALOS-2018-0706/CVE-2018-4033)

A privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `moveToTrashItemAtPath` function of the helper protocol. If an attacker enters `nil` into the function’s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X removeItemAtPath privilege escalation vulnerability (TALOS-2018-0707/CVE-2018-4034)

A privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeItemAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X truncateFileAtPath privilege escalation vulnerability (TALOS-2018-0708/CVE-2018-4035)

A privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `truncateFileAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X removeKextAtPath privilege escalation vulnerability (TALOS-2018-0709/CVE-2018-4036)

A privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeKextAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X removeDiagnosticsLogs privilege escalation vulnerability (TALOS-2018-0710/CVE-2018-4037)

A privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeDiagnosticsLogs` function of the helper protocol. When executing this function, a string is constructed containing the objective-c strings, `erase` and `all`. There is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X enableLaunchdAgentAtPath privilege escalation vulnerability (TALOS-2018-0715)/CVE-2018-4041)

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `enableLaunchdAgentAtPath` function of the helper protocol. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X removeLaunchdAgentAtPath privilege escalation vulnerability (TALOS-2018-0716)/CVE-2018-4042)

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removeLaunchdAgentAtPath` function of the helper protocol. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X removeASL privilege escalation vulnerability (TALOS-2018-0717)/CVE-2018-4043)

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removeASL` function of the helper protocol. This proces calls out and stops the system daemon for logging and also stops the Apple System Log facility. As both of these are root daemons, this creates a privilege issue. There is no validation of the calling application, and any other application is able to access this function, crossing a privilege boundary. Non-root users could then delete a package’s privileged information.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X removePackageWithID privilege escalation vulnerability (TALOS-2018-0718)/CVE-2018-4044)

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removePackageWithID` function of the helper protocol. An attacker could utilize the `--forget` command when calling this function to delete all receipt information about a particular installed package. There is no validation of the calling application in this scenario, so any application could access this function. Because this is a privileged helper, it runs as root, which then crosses a privilege boundary, allowing non-root users to delete a package’s privileged information.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X securelyRemoveItemAtPath privilege escalation vulnerability (TALOS-2018-0719)/CVE-2018-4045)

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `securelyRemoveItemAtPath` function of the helper protocol. A user-supplied argument is passed into this function when executed. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X pleaseTerminate denial-of-service vulnerability (TALOS-2018-0720)/CVE-2018-4046)

CleanMyMac X contains a denial-of-service vulnerability in its helper service due to improper input validation. This particular bug arises in the `pleaseTerminate` function of the helper protocol. When executing this function, the process terminates itself and has no validation of the calling application. Therefore, any application is able to terminate this function, crossing a privilege boundary and allow non-root users to terminate this root daemon.

For more information on this vulnerability, read our complete advisory here.

CleanMyMac X disableLaunchdAgentAtPath privilege escalation vulnerability(TALOS-2018-0721)/CVE-2018-4047)

CleanMyMac X contains a privilege escalation vulnerability in the software’s helper service. This particular bug arises in the `disableLaunchdAgentAtPath` function of the helper protocol. This function calls `launchtl` and unloads the script from the provided location. All `launchtl` commands must run as root. There is no validation of the calling application, therefore, any application is able to access this function, crossing a privilege boundary. This could allow any non-root users to uninstall `launchd` scripts as root.

For more information on this vulnerability, read our complete advisory here.

Versions tested

Talos has tested and confirmed that Clean My Mac X, version 4.04 is affected by all of these vulnerabilities.

https://macpaw.com/blog/cleanmymac-x-update-4.2.0  

Conclusion

It is recommended that users update to the latest version of this software (CleanMyMac X version 4.2.0). There are several ways in which an attacker could bypass the usual protections in place to acquire greater access to the machine and modify the file system as root.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48297, 48298