ID CVE-2018-4043 Type cve Reporter cve@mitre.org Modified 2019-01-25T21:24:00
Description
An exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
{"id": "CVE-2018-4043", "bulletinFamily": "NVD", "title": "CVE-2018-4043", "description": "An exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.", "published": "2019-01-10T15:29:00", "modified": "2019-01-25T21:24:00", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4043", "reporter": "cve@mitre.org", "references": ["https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0717"], "cvelist": ["CVE-2018-4043"], "type": "cve", "lastseen": "2021-02-02T06:52:38", "edition": 4, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2018-0717"]}, {"type": "talosblog", "idList": ["TALOSBLOG:46CD2BB38E6BD272DDD0948BDD17F9F7"]}, {"type": "threatpost", "idList": ["THREATPOST:C27C95C4251FF0DBFE10A54D4C7B4D6E"]}], "modified": "2021-02-02T06:52:38", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2021-02-02T06:52:38", "rev": 2}, "vulnersScore": 5.1}, "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "affectedSoftware": [{"cpeName": "macpaw:cleanmymac_x", "name": "macpaw cleanmymac x", "operator": "eq", "version": "4.04"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.6, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0717", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0717"}], "immutableFields": []}
{"talos": [{"lastseen": "2019-05-29T19:20:06", "bulletinFamily": "info", "cvelist": ["CVE-2018-4043"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0717\n\n## Clean My Mac X removeASL Privilege Escalation Vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4043\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nClean My Mac X is an all in one Mac cleaning tool. The application is able to scan through system and user directories looking for unused and leftover files and applications. The applications also markets ability to help detect and prevent viruses and malware on OS X. To get all of this work done they utilize a privilege helper tool running as root. This allows the application to remove and modify system files.\n\nThe vulnerability arises in `removeASL` functionality of the helper protocol. The code for this function is shown below:\n \n \n v5 = objc_retain(a3);\n if ( !+[CMLaunchdManager stopAgentWithLabel:]( [0]\n &OBJC_CLASS___CMLaunchdManager,\n \"stopAgentWithLabel:\",\n CFSTR(\"com.apple.syslogd\"),\n v4) )\n {\n v11 = \"Failed to stop com.apple.syslogd\";\n goto LABEL_11;\n }\n if ( !+[CMLaunchdManager stopAgentWithLabel:]( [1]\n &OBJC_CLASS___CMLaunchdManager,\n \"stopAgentWithLabel:\",\n CFSTR(\"com.apple.aslmanager\")) )\n {\n v11 = \"Failed to stop com.apple.aslmanager\";\n goto LABEL_11;\n }\n v6 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\");\n v7 = objc_retainAutoreleasedReturnValue(v6);\n v8 = objc_msgSend(v7, \"removeContentsOfDirectoryAtPath:\", CFSTR(\"/var/log/asl\")); [2]\n objc_release(v7);\n \n\nAt location [0], the process calls out and stops the system daemon for logging and at location [1], does the same thing for Apple System Log facility. As both of these are root daemons this creates a privilege issue. At location [2] all logs stored by the Apple System Log facility are then deleted crossing another privilege boundary as all these logs are protected by root. There is no validation of the calling application thus any application is able to access this function. This crosses a privilege boundary allowing non-root users to delete privileged information about a package.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0718\n\nPrevious Report\n\nTALOS-2018-0716\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0717", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0717", "title": "Clean My Mac X removeASL Privilege Escalation Vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-01-17T10:41:12", "bulletinFamily": "blog", "cvelist": ["CVE-2018-4032", "CVE-2018-4033", "CVE-2018-4034", "CVE-2018-4035", "CVE-2018-4036", "CVE-2018-4037", "CVE-2018-4041", "CVE-2018-4042", "CVE-2018-4043", "CVE-2018-4044", "CVE-2018-4045", "CVE-2018-4046", "CVE-2018-4047"], "description": "Tyler Bohan of Cisco Talos discovered these vulnerabilities. \n\n\n[](<https://3.bp.blogspot.com/-pjtW3UkisTc/XC_U0tR1xcI/AAAAAAAAAiY/PfLW6m5x7Rkh--ua1AhdXZkuqOhRXcR1gCLcBGAs/s1600/images_vuln_spotlight.jpg>)\n\n \n\n\n## Executive summary\n\n \n\n\nToday, Cisco Talos is disclosing several vulnerabilities in [MacPaw\u2019s CleanMyMac X ](<https://macpaw.com/cleanmymac>)software. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them. In all of these bugs, an attacker with local access to the victim machine could modify the file system as root.\n\n \n\n\nIn accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.\n\n \n \n\n\n## Vulnerability details\n\n#### ** \n**\n\n#### **CleanMyMac X moveItemAtPath privilege escalation vulnerability (TALOS-2018-0705/CVE-2018-4032)**\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the in the `moveItemAtPath` function of the helper protocol. If the attacker supplies `nil` in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0705>).\n\n \n\n\n#### CleanMyMac X moveToTrashItemAtPath privilege escalation vulnerability (TALOS-2018-0706/CVE-2018-4033)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `moveToTrashItemAtPath` function of the helper protocol. If an attacker enters `nil` into the function\u2019s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0706>).\n\n \n\n\n#### CleanMyMac X removeItemAtPath privilege escalation vulnerability (TALOS-2018-0707/CVE-2018-4034)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeItemAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0707>).\n\n \n\n\n#### CleanMyMac X truncateFileAtPath privilege escalation vulnerability (TALOS-2018-0708/CVE-2018-4035)\n\n \n\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `truncateFileAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0708>).\n\n \n\n\n#### CleanMyMac X removeKextAtPath privilege escalation vulnerability (TALOS-2018-0709/CVE-2018-4036)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeKextAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0709>).\n\n \n\n\n#### CleanMyMac X removeDiagnosticsLogs privilege escalation vulnerability (TALOS-2018-0710/CVE-2018-4037)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeDiagnosticsLogs` function of the helper protocol. When executing this function, a string is constructed containing the objective-c strings, `erase` and `all`. There is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0710>).\n\n \n\n\n \n\n\n#### CleanMyMac X enableLaunchdAgentAtPath privilege escalation vulnerability (TALOS-2018-0715)/CVE-2018-4041)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `enableLaunchdAgentAtPath` function of the helper protocol. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0715>).\n\n \n\n\n#### CleanMyMac X removeLaunchdAgentAtPath privilege escalation vulnerability (TALOS-2018-0716)/CVE-2018-4042)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removeLaunchdAgentAtPath` function of the helper protocol. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0716>).\n\n \n\n\n#### CleanMyMac X removeASL privilege escalation vulnerability (TALOS-2018-0717)/CVE-2018-4043)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removeASL` function of the helper protocol. This proces calls out and stops the system daemon for logging and also stops the Apple System Log facility. As both of these are root daemons, this creates a privilege issue. There is no validation of the calling application, and any other application is able to access this function, crossing a privilege boundary. Non-root users could then delete a package\u2019s privileged information.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0717>).\n\n \n\n\n#### CleanMyMac X removePackageWithID privilege escalation vulnerability (TALOS-2018-0718)/CVE-2018-4044)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removePackageWithID` function of the helper protocol. An attacker could utilize the `--forget` command when calling this function to delete all receipt information about a particular installed package. There is no validation of the calling application in this scenario, so any application could access this function. Because this is a privileged helper, it runs as root, which then crosses a privilege boundary, allowing non-root users to delete a package\u2019s privileged information.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0718>).\n\n \n\n\n#### CleanMyMac X securelyRemoveItemAtPath privilege escalation vulnerability (TALOS-2018-0719)/CVE-2018-4045)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `securelyRemoveItemAtPath` function of the helper protocol. A user-supplied argument is passed into this function when executed. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0719>).\n\n \n\n\n \n\n\n \n\n\n#### CleanMyMac X pleaseTerminate denial-of-service vulnerability (TALOS-2018-0720)/CVE-2018-4046)\n\n \n\n\nCleanMyMac X contains a denial-of-service vulnerability in its helper service due to improper input validation. This particular bug arises in the `pleaseTerminate` function of the helper protocol. When executing this function, the process terminates itself and has no validation of the calling application. Therefore, any application is able to terminate this function, crossing a privilege boundary and allow non-root users to terminate this root daemon.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0720>).\n\n \n\n\n#### CleanMyMac X disableLaunchdAgentAtPath privilege escalation vulnerability(TALOS-2018-0721)/CVE-2018-4047)\n\n \n\n\nCleanMyMac X contains a privilege escalation vulnerability in the software\u2019s helper service. This particular bug arises in the `disableLaunchdAgentAtPath` function of the helper protocol. This function calls `launchtl` and unloads the script from the provided location. All `launchtl` commands must run as root. There is no validation of the calling application, therefore, any application is able to access this function, crossing a privilege boundary. This could allow any non-root users to uninstall `launchd` scripts as root.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0721>).\n\n \n\n\n## Versions tested\n\n \n\n\nTalos has tested and confirmed that Clean My Mac X, version 4.04 is affected by all of these vulnerabilities.\n\n<https://macpaw.com/blog/cleanmymac-x-update-4.2.0>\n\n \n\n\n \n\n\n \n \n\n\n## Conclusion\n\n \n\n\nIt is recommended that users update to the latest version of this software (CleanMyMac X version 4.2.0). There are several ways in which an attacker could bypass the usual protections in place to acquire greater access to the machine and modify the file system as root.\n\n \n\n\n### Coverage\n\n \n\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.\n\n \n\n\nSnort Rules: 48297, 48298\n\n", "modified": "2019-01-04T21:54:05", "published": "2019-01-02T10:50:00", "id": "TALOSBLOG:46CD2BB38E6BD272DDD0948BDD17F9F7", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ByZX4QmPokU/vulnerability-spotlight-CleanMyMac-X.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X", "cvss": {"score": 6.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2019-11-03T07:11:09", "bulletinFamily": "info", "cvelist": ["CVE-2018-4032", "CVE-2018-4033", "CVE-2018-4034", "CVE-2018-4035", "CVE-2018-4036", "CVE-2018-4037", "CVE-2018-4041", "CVE-2018-4042", "CVE-2018-4043", "CVE-2018-4044", "CVE-2018-4045", "CVE-2018-4046", "CVE-2018-4047"], "description": "A passel of privilege-escalation vulnerabilities in MacPaw\u2019s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways.\n\nCleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package\u2019s \u201chelper protocol.\u201d\n\n\u201cThe application is able to scan the system and user directories, looking for unused and leftover files and applications,\u201d explained Cisco in [the advisory](<https://blog.talosintelligence.com/2019/01/vulnerability-spotlight-CleanMyMac-X.html#more>), issued Wednesday. \u201cThe application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\u201d\n\nAs such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation \u2013 thus giving those applications root access.\n\nCVE-2018-4032 for instance has to do with the \u201cmoveItemAtPath\u201d function, according to the advisory: \u201cIf the attacker supplies `nil` in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.\u201d\n\nA second vulnerability, CVE-2018-4033, exists in the \u201cmoveToTrashItemAtPath\u201d function.\n\n\u201cIf an attacker enters `nil` into the function\u2019s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system,\u201d according to the advisory.\n\nThree flaws allow attackers to cross a privilege boundary and delete files from the root file system: The \u201cremoveItemAtPath\u201d function (CVE-2018-4034); the \u201ctruncateFileAtPath\u201d function (CVE-2018-4035); and the \u201cremoveKextAtPath\u201d function (CVE-2018-4036).\n\nOther helper protocol functions allow a non-root user to delete the main log data from the system: CVE-2018-4037 exists in the \u201cremoveDiagnosticsLogs\u201d function; CVE-2018-4041 exists in the \u201cenableLaunchdAgentAtPath\u201d function; and CVE-2018-4042 is present in the \u201cremoveLaunchdAgentAtPath\u201d function.\n\nThe \u201cremoveASL\u201d function meanwhile also has a vulnerability (CVE-2018-4043) that would allow non-root users to delete a package\u2019s privileged information.\n\n\u201cThis process calls out and stops the system daemon for logging and also stops the Apple System Log facility,\u201d according to the advisory. \u201cAs both of these are root daemons, this creates a privilege issue.\u201d\n\nCVE-2018-4044 in the \u201cremovePackageWithID\u201d function allows an attacker to utilize the \u201c\u2014forget\u201d command when calling this function to delete all receipt information about a particular installed package. Again, there is no validation of the calling application in this scenario, so any application could access the function.\n\nCVE-2018-4045 within the \u201csecurelyRemoveItemAtPath\u201d function of the helper protocol exists because a user-supplied argument is passed into this function when executed, allowing non-root users to delete files from the root file system.\n\nAnd finally, CVE-2018-4047 in the \u201cdisableLaunchdAgentAtPath\u201d function of the helper protocol calls \u201claunchtl\u201d and unloads the script from the provided location. Any non-root users could uninstall `launchd` scripts as root.\n\nCVE-2018-4046 meanwhile is different: This is a denial-of-service vulnerability in the \u201cpleaseTerminate\u201d function of the helper service; when executing the function, the process terminates itself; therefore, non-root users can terminate the root daemon.\n\nUsers should update to CleanMyMac X [version 4.2.0](<https://macpaw.com/blog/cleanmymac-x-update-4.2.0>), which patches the flaws.\n", "modified": "2019-01-03T21:50:22", "published": "2019-01-03T21:50:22", "id": "THREATPOST:C27C95C4251FF0DBFE10A54D4C7B4D6E", "href": "https://threatpost.com/flaws-mac-clean-up-root/140551/", "type": "threatpost", "title": "A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}]}
