Your one-stop web resource providing safety and security information to manufacturers

There is a fix available to mitigate multiple privilege escalation vulnerabilities in MacPaw’s CleanMyMac X software, which is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them.

In all of these bugs, an attacker with local access to the victim machine could modify the file system as root, said Tyler Bohan of Cisco Talos who discovered the vulnerabilities.

RELATED STORIES
Mac Malware Affects Encrypted Traffic
Apple’s macOS Mojave Boosts Security
Apple Fixes Security Holes
MacOS Backdoor Found after 2 Years

In one vulnerability, a privilege escalation vulnerability exists in the way CleanMyMac X software improperly validates inputs. This bug arises in the “moveItemAtPath” function of the helper protocol. If the attacker supplies “nil” in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.

In another privilege escalation vulnerability, the bug arises in the “moveToTrashItemAtPath” function of the helper protocol. If an attacker enters “nil” into the function’s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system, Bohan said.

Cyber Security

Another privilege escalation vulnerability is in the “removeItemAtPath” function of the helper protocol. When executing this function, there is no validation of the calling application, Bohan said. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.

There is a vulnerability in the way CleanMyMac X software improperly validates inputs. This bug arises in the “truncateFileAtPath” function of the helper protocol, Bohan said. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.

Improperly Validates Inputs
In addition, there is a vulnerability in the way the software improperly validates inputs in the “removeKextAtPath” function. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.

Also, a vulnerability exists in the “removeDiagnosticsLogs” function of the helper protocol. When executing this function, a string is constructed containing the objective-c strings, “erase” and “all.” There is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.

An exploitable privilege escalation vulnerability exists in the “enableLaunchdAgentAtPath” function. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.

An exploitable vulnerability exists in the “removeLaunchdAgentAtPath” function, Bohan said. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.

Exploitable Bug
An exploitable bug arises in the “removeASL” function. This process calls out and stops the system daemon for logging and also stops the Apple System Log facility. As both of these are root daemons, this creates a privilege issue. There is no validation of the calling application, and any other application is able to access this function, crossing a privilege boundary. Non-root users could then delete a package’s privileged information.

An exploitable bug is in the “removePackageWithID” function of the helper protocol, Bohan said. An attacker could utilize the “—forget” command when calling this function to delete all receipt information about a particular installed package. There is no validation of the calling application in this scenario, so any application could access this function. Because this is a privileged helper, it runs as root, which then crosses a privilege boundary, allowing non-root users to delete a package’s privileged information.

An exploitable bug in the “securelyRemoveItemAtPath” function allows a user-supplied argument is passed into this function when executed. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.

Denial of Service
There is also a denial-of-service vulnerability in its helper service due to improper input validation. This particular bug arises in the “pleaseTerminate” function of the helper protocol. When executing this function, the process terminates itself and has no validation of the calling application. Therefore, any application is able to terminate this function, crossing a privilege boundary and allow non-root users to terminate this root daemon.

There is also a bug in the “disableLaunchdAgentAtPath” function of the helper protocol, Bohan said. This function calls “launchtl” and unloads the script from the provided location. All “launchtl” commands must run as root. There is no validation of the calling application, therefore, any application is able to access this function, crossing a privilege boundary. This could allow any non-root users to uninstall “launchd” scripts as root.

Clean My Mac X, version 4.04 is affected by all of these vulnerabilities, Bohan said.

Click here for the patch for the software.

Bohan recommended users update to the latest version of this software (CleanMyMac X version 4.2.0).

Pin It on Pinterest

Share This