Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2018-0719
HistoryJan 02, 2019 - 12:00 a.m.

Clean My Mac X securelyRemoveItemAtPath privilege escalation vulnerability

2019-01-0200:00:00
Talos Intelligence
www.talosintelligence.com
8

4.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:C/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

Summary

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.

Tested Versions

Clean My Mac X 4.04

Product URLs

<https://macpaw.com/cleanmymac&gt;

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

CleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.

The vulnerability arises in the securelyRemoveItemAtPath functiona of the helper protocol. The code for this function is:

  user_input = objc_retain(arg_3);
  v9 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager", v5);
  v10 = objc_retainAutoreleasedReturnValue(v9);
  v11 = objc_msgSend(v10, "securelyRemoveFileAtPath:error:", user_input, 0LL);       [0]
  objc_release(user_input);
  objc_release(v10);

At location [0], a user-supplied argument is passed into the function securelyRemoveFileAtPath. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.

Exploit Proof of Concept

Included with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator’s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.

Timeline

2018-11-20 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release

Related

nvd 1
cve 1
cvelist 1
prion 1
talosblog 1
threatpost 1
nvd
nvd
CVE-2018-4045
2019-01-10 15:29:00
cve
cve
CVE-2018-4045
2019-01-10 15:29:00
cvelist
cvelist
CVE-2018-4045
2019-01-10 15:00:00
prion
prion
Privilege escalation
2019-01-10 15:29:00
talosblog
talosblog
Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X
2019-01-02 10:50:00
threatpost
threatpost
A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access
2019-01-03 21:50:22

4.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:C/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for TALOS-2018-0719
nvd1cve1cvelist1prion1talosblog1threatpost1