{"id": "THREATPOST:C27C95C4251FF0DBFE10A54D4C7B4D6E", "type": "threatpost", "bulletinFamily": "info", "title": "A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access", "description": "A passel of privilege-escalation vulnerabilities in MacPaw\u2019s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways.\n\nCleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package\u2019s \u201chelper protocol.\u201d\n\n\u201cThe application is able to scan the system and user directories, looking for unused and leftover files and applications,\u201d explained Cisco in [the advisory](<https://blog.talosintelligence.com/2019/01/vulnerability-spotlight-CleanMyMac-X.html#more>), issued Wednesday. \u201cThe application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\u201d\n\nAs such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation \u2013 thus giving those applications root access.\n\nCVE-2018-4032 for instance has to do with the \u201cmoveItemAtPath\u201d function, according to the advisory: \u201cIf the attacker supplies `nil` in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.\u201d\n\nA second vulnerability, CVE-2018-4033, exists in the \u201cmoveToTrashItemAtPath\u201d function.\n\n\u201cIf an attacker enters `nil` into the function\u2019s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system,\u201d according to the advisory.\n\nThree flaws allow attackers to cross a privilege boundary and delete files from the root file system: The \u201cremoveItemAtPath\u201d function (CVE-2018-4034); the \u201ctruncateFileAtPath\u201d function (CVE-2018-4035); and the \u201cremoveKextAtPath\u201d function (CVE-2018-4036).\n\nOther helper protocol functions allow a non-root user to delete the main log data from the system: CVE-2018-4037 exists in the \u201cremoveDiagnosticsLogs\u201d function; CVE-2018-4041 exists in the \u201cenableLaunchdAgentAtPath\u201d function; and CVE-2018-4042 is present in the \u201cremoveLaunchdAgentAtPath\u201d function.\n\nThe \u201cremoveASL\u201d function meanwhile also has a vulnerability (CVE-2018-4043) that would allow non-root users to delete a package\u2019s privileged information.\n\n\u201cThis process calls out and stops the system daemon for logging and also stops the Apple System Log facility,\u201d according to the advisory. \u201cAs both of these are root daemons, this creates a privilege issue.\u201d\n\nCVE-2018-4044 in the \u201cremovePackageWithID\u201d function allows an attacker to utilize the \u201c\u2014forget\u201d command when calling this function to delete all receipt information about a particular installed package. Again, there is no validation of the calling application in this scenario, so any application could access the function.\n\nCVE-2018-4045 within the \u201csecurelyRemoveItemAtPath\u201d function of the helper protocol exists because a user-supplied argument is passed into this function when executed, allowing non-root users to delete files from the root file system.\n\nAnd finally, CVE-2018-4047 in the \u201cdisableLaunchdAgentAtPath\u201d function of the helper protocol calls \u201claunchtl\u201d and unloads the script from the provided location. Any non-root users could uninstall `launchd` scripts as root.\n\nCVE-2018-4046 meanwhile is different: This is a denial-of-service vulnerability in the \u201cpleaseTerminate\u201d function of the helper service; when executing the function, the process terminates itself; therefore, non-root users can terminate the root daemon.\n\nUsers should update to CleanMyMac X [version 4.2.0](<https://macpaw.com/blog/cleanmymac-x-update-4.2.0>), which patches the flaws.\n", "published": "2019-01-03T21:50:22", "modified": "2019-01-03T21:50:22", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "href": "https://threatpost.com/flaws-mac-clean-up-root/140551/", "reporter": "Tara Seals", "references": ["https://blog.talosintelligence.com/2019/01/vulnerability-spotlight-CleanMyMac-X.html#more", "https://macpaw.com/blog/cleanmymac-x-update-4.2.0"], "cvelist": ["CVE-2018-4032", "CVE-2018-4033", "CVE-2018-4034", "CVE-2018-4035", "CVE-2018-4036", "CVE-2018-4037", "CVE-2018-4041", "CVE-2018-4042", "CVE-2018-4043", "CVE-2018-4044", "CVE-2018-4045", "CVE-2018-4046", "CVE-2018-4047"], "lastseen": "2019-11-03T07:11:09", "viewCount": 3, "enchantments": {"score": {"value": 4.9, "vector": "NONE", "modified": "2019-11-03T07:11:09", "rev": 2}, "dependencies": {"references": [{"type": "talosblog", "idList": ["TALOSBLOG:46CD2BB38E6BD272DDD0948BDD17F9F7"]}, {"type": "cve", "idList": ["CVE-2018-4045", "CVE-2018-4047", "CVE-2018-4036", "CVE-2018-4033", "CVE-2018-4035", "CVE-2018-4032", "CVE-2018-4046", "CVE-2018-4044", "CVE-2018-4034", "CVE-2018-4042"]}, {"type": "talos", "idList": ["TALOS-2018-0717", "TALOS-2018-0707", "TALOS-2018-0705", "TALOS-2018-0715", "TALOS-2018-0721", "TALOS-2018-0716", "TALOS-2018-0720", "TALOS-2018-0709", "TALOS-2018-0708", "TALOS-2018-0718"]}], "modified": "2019-11-03T07:11:09", "rev": 2}, "vulnersScore": 4.9}}

{"talosblog": [{"lastseen": "2019-01-17T10:41:12", "bulletinFamily": "blog", "cvelist": ["CVE-2018-4032", "CVE-2018-4033", "CVE-2018-4034", "CVE-2018-4035", "CVE-2018-4036", "CVE-2018-4037", "CVE-2018-4041", "CVE-2018-4042", "CVE-2018-4043", "CVE-2018-4044", "CVE-2018-4045", "CVE-2018-4046", "CVE-2018-4047"], "description": "Tyler Bohan of Cisco Talos discovered these vulnerabilities. \n\n\n[](<https://3.bp.blogspot.com/-pjtW3UkisTc/XC_U0tR1xcI/AAAAAAAAAiY/PfLW6m5x7Rkh--ua1AhdXZkuqOhRXcR1gCLcBGAs/s1600/images_vuln_spotlight.jpg>)\n\n \n\n\n## Executive summary\n\n \n\n\nToday, Cisco Talos is disclosing several vulnerabilities in [MacPaw\u2019s CleanMyMac X ](<https://macpaw.com/cleanmymac>)software. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them. In all of these bugs, an attacker with local access to the victim machine could modify the file system as root.\n\n \n\n\nIn accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.\n\n \n \n\n\n## Vulnerability details\n\n#### ** \n**\n\n#### **CleanMyMac X moveItemAtPath privilege escalation vulnerability (TALOS-2018-0705/CVE-2018-4032)**\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the in the `moveItemAtPath` function of the helper protocol. If the attacker supplies `nil` in the to_path argument, the file is deleted, and any application can access this function and run it as root. Therefore, non-root users could delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0705>).\n\n \n\n\n#### CleanMyMac X moveToTrashItemAtPath privilege escalation vulnerability (TALOS-2018-0706/CVE-2018-4033)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `moveToTrashItemAtPath` function of the helper protocol. If an attacker enters `nil` into the function\u2019s fourth argument, any other application could access that function as root, allowing them to delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0706>).\n\n \n\n\n#### CleanMyMac X removeItemAtPath privilege escalation vulnerability (TALOS-2018-0707/CVE-2018-4034)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeItemAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0707>).\n\n \n\n\n#### CleanMyMac X truncateFileAtPath privilege escalation vulnerability (TALOS-2018-0708/CVE-2018-4035)\n\n \n\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `truncateFileAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0708>).\n\n \n\n\n#### CleanMyMac X removeKextAtPath privilege escalation vulnerability (TALOS-2018-0709/CVE-2018-4036)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeKextAtPath` function of the helper protocol. When executing this function, there is no validation of the calling application. Therefore, any application is able to access this function and run it as root. An attacker could exploit this vulnerability to cross a privilege boundary and delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0709>).\n\n \n\n\n#### CleanMyMac X removeDiagnosticsLogs privilege escalation vulnerability (TALOS-2018-0710/CVE-2018-4037)\n\n \n\n\nA privilege escalation vulnerability exists in the way that the CleanMyMac X software improperly validates inputs. This particular bug arises in the `removeDiagnosticsLogs` function of the helper protocol. When executing this function, a string is constructed containing the objective-c strings, `erase` and `all`. There is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0710>).\n\n \n\n\n \n\n\n#### CleanMyMac X enableLaunchdAgentAtPath privilege escalation vulnerability (TALOS-2018-0715)/CVE-2018-4041)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `enableLaunchdAgentAtPath` function of the helper protocol. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0715>).\n\n \n\n\n#### CleanMyMac X removeLaunchdAgentAtPath privilege escalation vulnerability (TALOS-2018-0716)/CVE-2018-4042)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removeLaunchdAgentAtPath` function of the helper protocol. When this function is loaded, there is no validation of the calling application, which allows other applications to access this function and run it as root. This could allow a non-root user to delete the main log data from the system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0716>).\n\n \n\n\n#### CleanMyMac X removeASL privilege escalation vulnerability (TALOS-2018-0717)/CVE-2018-4043)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removeASL` function of the helper protocol. This proces calls out and stops the system daemon for logging and also stops the Apple System Log facility. As both of these are root daemons, this creates a privilege issue. There is no validation of the calling application, and any other application is able to access this function, crossing a privilege boundary. Non-root users could then delete a package\u2019s privileged information.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0717>).\n\n \n\n\n#### CleanMyMac X removePackageWithID privilege escalation vulnerability (TALOS-2018-0718)/CVE-2018-4044)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `removePackageWithID` function of the helper protocol. An attacker could utilize the `--forget` command when calling this function to delete all receipt information about a particular installed package. There is no validation of the calling application in this scenario, so any application could access this function. Because this is a privileged helper, it runs as root, which then crosses a privilege boundary, allowing non-root users to delete a package\u2019s privileged information.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0718>).\n\n \n\n\n#### CleanMyMac X securelyRemoveItemAtPath privilege escalation vulnerability (TALOS-2018-0719)/CVE-2018-4045)\n\n \n\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X. This particular bug arises in the `securelyRemoveItemAtPath` function of the helper protocol. A user-supplied argument is passed into this function when executed. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0719>).\n\n \n\n\n \n\n\n \n\n\n#### CleanMyMac X pleaseTerminate denial-of-service vulnerability (TALOS-2018-0720)/CVE-2018-4046)\n\n \n\n\nCleanMyMac X contains a denial-of-service vulnerability in its helper service due to improper input validation. This particular bug arises in the `pleaseTerminate` function of the helper protocol. When executing this function, the process terminates itself and has no validation of the calling application. Therefore, any application is able to terminate this function, crossing a privilege boundary and allow non-root users to terminate this root daemon.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0720>).\n\n \n\n\n#### CleanMyMac X disableLaunchdAgentAtPath privilege escalation vulnerability(TALOS-2018-0721)/CVE-2018-4047)\n\n \n\n\nCleanMyMac X contains a privilege escalation vulnerability in the software\u2019s helper service. This particular bug arises in the `disableLaunchdAgentAtPath` function of the helper protocol. This function calls `launchtl` and unloads the script from the provided location. All `launchtl` commands must run as root. There is no validation of the calling application, therefore, any application is able to access this function, crossing a privilege boundary. This could allow any non-root users to uninstall `launchd` scripts as root.\n\n \n\n\nFor more information on this vulnerability, read our complete advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0721>).\n\n \n\n\n## Versions tested\n\n \n\n\nTalos has tested and confirmed that Clean My Mac X, version 4.04 is affected by all of these vulnerabilities.\n\n<https://macpaw.com/blog/cleanmymac-x-update-4.2.0>\n\n \n\n\n \n\n\n \n \n\n\n## Conclusion\n\n \n\n\nIt is recommended that users update to the latest version of this software (CleanMyMac X version 4.2.0). There are several ways in which an attacker could bypass the usual protections in place to acquire greater access to the machine and modify the file system as root.\n\n \n\n\n### Coverage\n\n \n\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.\n\n \n\n\nSnort Rules: 48297, 48298\n\n", "modified": "2019-01-04T21:54:05", "published": "2019-01-02T10:50:00", "id": "TALOSBLOG:46CD2BB38E6BD272DDD0948BDD17F9F7", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ByZX4QmPokU/vulnerability-spotlight-CleanMyMac-X.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X", "cvss": {"score": 6.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2020-10-03T13:20:21", "description": "An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4044", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4044"], "modified": "2019-01-16T17:26:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4044", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4044", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4042", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4042"], "modified": "2019-01-16T17:27:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4042", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4042", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable denial-of-service vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. A user with local access can use this vulnerability to terminate a privileged helper application. An attacker would need local access to the machine for a successful exploit.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4046", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4046"], "modified": "2019-01-25T21:25:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4046", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4046", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4045", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4045"], "modified": "2019-01-16T17:26:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4045", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4045", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "The CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4034", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4034"], "modified": "2019-01-16T17:28:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4034", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4034", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access could use this vulnerability to modify the running kernel extensions on the system.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4036", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4036"], "modified": "2019-01-16T17:28:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4036", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs. An attacker with local access could use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4032", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4032"], "modified": "2019-01-17T13:02:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4032", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4032", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4047", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4047"], "modified": "2019-01-16T17:25:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4047", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4047", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4033", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4033"], "modified": "2019-01-17T13:03:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4033", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4033", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-10T15:29:00", "title": "CVE-2018-4041", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4041"], "modified": "2019-01-16T17:27:00", "cpe": ["cpe:/a:macpaw:cleanmymac_x:4.04"], "id": "CVE-2018-4041", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4041", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:macpaw:cleanmymac_x:4.04:*:*:*:*:*:*:*"]}], "talos": [{"lastseen": "2019-05-29T19:20:04", "bulletinFamily": "info", "cvelist": ["CVE-2018-4044"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0718\n\n## Clean My Mac X removePackageWithID privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4044\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability arises in the `removePackageWithID` function of the helper protocol. The code for this function is shown below:\n \n \n v8 = CFSTR(\"--forget\"); [0]\n user_input = objc_retain(arg_3);\n v4 = objc_msgSend(&OBJC_CLASS___NSArray, \"arrayWithObjects:count:\", &v8, 2LL);\n v5 = objc_retainAutoreleasedReturnValue(v4);\n v6 = (objc_msgSend)(\n &OBJC_CLASS___CMTaskRunner,\n \"launchTaskAndGetTermStatusWithCmd:arguments:\",\n CFSTR(\"/usr/sbin/pkgutil\"), [1]\n v5,\n user_input);\n \n\nAt location [0], arguments are set up to pass in to the function call. At location [1], it is seen to call into the OSX utility pkgutil, which is responsible for handling OSX install packages. Utilizing the `--forget` command will delete all receipt information about a particular installed package. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete privileged information about a package.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0719\n\nPrevious Report\n\nTALOS-2018-0717\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0718", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0718", "title": "Clean My Mac X removePackageWithID privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-4042"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0716\n\n## Clean My Mac X removeLaunchdAgentAtPath privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4042\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability lies in the `removeLaunchdAgentAtPath` function of the helper protocol. The code for this function is:\n \n \n user_input = objc_retain(a3); [0]\n v8 = objc_retain(v6);\n objc_retain(CFSTR(\"/Library/LaunchDaemons/com.macpaw.CleanMyMac4.Agent.plist\"));\n if ( objc_msgSend(user_input, \"isEqualToString:\", CFSTR(\"/Library/LaunchDaemons/com.macpaw.CleanMyMac4.Agent.plist\"), v5) ) [1]\n {\n v10 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\");\n v11 = objc_retainAutoreleasedReturnValue(v10);\n objc_msgSend(\n v11,\n \"removeItemAtPath:error:\",\n CFSTR(\"/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent\"),\n 0LL);\n objc_release(v11);\n v12 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\");\n v13 = objc_retainAutoreleasedReturnValue(v12);\n objc_msgSend(v13, \"removeItemAtPath:error:\", user_input, 0LL);\n objc_release(v13);\n exit(0);\n }\n v9 = +[CMLaunchdManager removeAgentAtPath:](&OBJC_CLASS___CMLaunchdManager, \"removeAgentAtPath:\", user_input); [2]\n \n\nAt location [0], the process grabs user input and stores it for later computation. Location [1] shows a check to see if the LaunchDAgent intended to be stopped is the `Clean My Mac` agent. If it is, it is deleted and the daemon exits. This daemon runs as root, so killing it arbitrarily crosses a privilege boundary. Again, at location [2], we see a call to `removeAgentAtPath` passing in the supplied user argument, thus removing the launched agent. There is no validation of the calling application, therefore, any application is able to access this function. This crosses a privilege boundary, allowing non-root users to delete a package\u2019s privileged information.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0717\n\nPrevious Report\n\nTALOS-2018-0715\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0716", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0716", "title": "Clean My Mac X removeLaunchdAgentAtPath privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-4041"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0715\n\n## Clean My Mac X enableLaunchdAgentAtPath privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4041\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability lies in the `enableLaunchdAgentAtPath` function of the helper protocol. The code for this function is:\n \n \n user_input = objc_retain(arg_3);\n v9 = +[CMLaunchdManager enableAgentAtPath:](&OBJC_CLASS___CMLaunchdManager, \"enableAgentAtPath:\", user_input, ret); [0]\n objc_release(user_input);\n \n\nAt location [0], the process passes user input directly into `enableAgentAtPath`, which simply calls `launchtl` and loads the script from the provided location. To be properly loaded, an agent must be run from a root configuration file. However, the ability to launch any root configuration file on the system still crosses a privilege boundary. There is no validation of the calling application, therefore, any application is able to access this function. This crosses a privilege boundary, allowing non-root users to install `launchd` scripts as root.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0716\n\nPrevious Report\n\nTALOS-2018-0710\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0715", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0715", "title": "Clean My Mac X enableLaunchdAgentAtPath privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:00", "bulletinFamily": "info", "cvelist": ["CVE-2018-4046"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0720\n\n## Clean My Mac X pleaseTerminate denial-of-service vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4046\n\n### Summary\n\nAn exploitable denial-of-service vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. A user with local access can use this vulnerability to terminate a privileged helper application. An attacker would need local access to the machine for a successful exploit.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability arises in the `pleaseTerminate` function of the helper protocol. The code for this function is:\n \n \n v2 = -[CMPriviligedOperations xpcConnection](self, \"xpcConnection\");\n v3 = objc_retainAutoreleasedReturnValue(v2);\n objc_msgSend(v3, \"suspend\");\n objc_release(v3);\n exit(0); [0]\n \n\nAt location [0], the process terminates itself. This code runs inside of the root daemon and has no validation of the calling application, therefore, any application is able to access this function. This crosses a privilege boundary, allowing non-root users to terminate the root daemon thus circumventing any protection offered by this daemon.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0721\n\nPrevious Report\n\nTALOS-2018-0719\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0720", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0720", "title": "Clean My Mac X pleaseTerminate denial-of-service vulnerability", "type": "talos", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T19:19:59", "bulletinFamily": "info", "cvelist": ["CVE-2018-4032"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0705\n\n## CleanMyMac X moveItemAtPath privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4032\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs. An attacker with local access could use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability arises in the `moveItemAtPath` function of the helper protocol. The code for this function is:\n \n \n at_path = objc_retain(a3);\n to_path = objc_retain(a_4);\n v9 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\");\n v10 = (void *)objc_retainAutoreleasedReturnValue(v9);\n v13 = 0LL;\n v15 = objc_msgSend(v10, \"advancedMoveItemAtPath:toPath:error:\", at_path, to_path, 0LL);\n \n\nAt location [0], a user-supplied argument is passed into the function `advancedMoveItemAtPath`. By supplying `nil` in the to_path argument, the file is then deleted. There is no validation of the calling application thus any application is able to access this function and because this is a privileged helper it runs as root. This crosses a privilege boundary allowing non-root users to delete files from the root file system.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system before exploiting the vulnerabilities. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-09 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0706\n\nPrevious Report\n\nTALOS-2018-0654\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0705", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0705", "title": "CleanMyMac X moveItemAtPath privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:07", "bulletinFamily": "info", "cvelist": ["CVE-2018-4034"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0707\n\n## CleanMyMac X removeItemAtPath Privilege Escalation Vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4034\n\n### Summary\n\nThe CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability arises in `removeItemAtPath` function of the helper protocol. The code for this function is:\n \n \n v10 = 0LL;\n v7 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\", 0LL);\n v8 = (void *)objc_retainAutoreleasedReturnValue(v7);\n v9 = (unsigned __int64)objc_msgSend(v8, \"removeFileAtPath:error:\", arg_3, &v10); [0]\n if ( arg_4 )\n (*(void (__fastcall **)(__int64, _QWORD, __int64))(arg_4 + 16))(arg_4, (unsigned int)v9, v10);\n \n\nAt location [0], a user-supplied argument is passed into the function `removeFileAtPath`. There is no validation of the calling application. Therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-09 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0709\n\nPrevious Report\n\nTALOS-2018-0708\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0707", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0707", "title": "CleanMyMac X removeItemAtPath Privilege Escalation Vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:51", "bulletinFamily": "info", "cvelist": ["CVE-2018-4047"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0721\n\n## Clean My Mac X disableLaunchdAgentAtPath privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4047\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability lies in the `disableLaunchdAgentAtPath` function of the helper protocol. The code for this function is:\n \n \n user_input = objc_retain(arg_3);\n v8 = objc_retain(v6);\n v9 = +[CMLaunchdManager disableAgentAtPath:](&OBJC_CLASS___CMLaunchdManager, \"disableAgentAtPath:\", user_input, v5); [0]\n objc_release(user_input);\n \n\nAt location [0], the process passes user input directly into `disableLaunchdAgentAtPath`, which simply calls `launchtl` and unloads the script from the provided location. All `launchtl` commands must be run as root. There is no validation of the calling application, therefore, any application is able to access this function. This crosses a privilege boundary, allowing non-root users to uninstall `launchd` scripts as root.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0614\n\nPrevious Report\n\nTALOS-2018-0720\n", "edition": 4, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0721", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0721", "title": "Clean My Mac X disableLaunchdAgentAtPath privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:52", "bulletinFamily": "info", "cvelist": ["CVE-2018-4045"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0719\n\n## Clean My Mac X securelyRemoveItemAtPath privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4045\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability arises in the `securelyRemoveItemAtPath` functiona of the helper protocol. The code for this function is:\n \n \n user_input = objc_retain(arg_3);\n v9 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\", v5);\n v10 = objc_retainAutoreleasedReturnValue(v9);\n v11 = objc_msgSend(v10, \"securelyRemoveFileAtPath:error:\", user_input, 0LL); [0]\n objc_release(user_input);\n objc_release(v10);\n \n\nAt location [0], a user-supplied argument is passed into the function `securelyRemoveFileAtPath`. There is no validation of the calling application, therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0720\n\nPrevious Report\n\nTALOS-2018-0718\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0719", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0719", "title": "Clean My Mac X securelyRemoveItemAtPath privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:54", "bulletinFamily": "info", "cvelist": ["CVE-2018-4036"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0709\n\n## CleanMyMac X removeKextAtPath privilege escalation vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4036\n\n### Summary\n\nThe CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access could use this vulnerability to modify the running kernel extensions on the system.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nCleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.\n\nThe vulnerability arises in `removeKextAtPath` functionality of the helper protocol. The code for this function is:\n \n \n kext = objc_retain(a3);\n v6 = objc_retain(a4);\n v7 = (CMKextManager *)objc_msgSend(&OBJC_CLASS___CMKextManager, \"alloc\");\n v8 = (CMKextManager *)objc_msgSend(v7, \"init\");\n v9 = (unsigned __int64)-[CMKextManager removeKextAtPath:](v8, \"removeKextAtPath:\", kext); [0]\n \n\nAt location [0], a user-supplied argument is passed into the function `removeKextAtPath`. There is no validation of the calling application. Therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to remove kernel extensions running on the system, as well as deleting them from the system directory.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project and a Python script. The Python script needs an administrator\u2019s password to set up some root files on the system before exploiting these vulnerabilities. The Xcode project contains the proof of concept. Users should be very careful while testing this, as this will remove a kernel extension from the system folder and unload it from the system.\n\n### Timeline\n\n2018-11-09 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0710\n\nPrevious Report\n\nTALOS-2018-0707\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0709", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0709", "title": "CleanMyMac X removeKextAtPath privilege escalation vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:06", "bulletinFamily": "info", "cvelist": ["CVE-2018-4043"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0717\n\n## Clean My Mac X removeASL Privilege Escalation Vulnerability\n\n##### January 2, 2019\n\n##### CVE Number\n\nCVE-2018-4043\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.\n\n### Tested Versions\n\nClean My Mac X 4.04\n\n### Product URLs\n\n<https://macpaw.com/cleanmymac>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nClean My Mac X is an all in one Mac cleaning tool. The application is able to scan through system and user directories looking for unused and leftover files and applications. The applications also markets ability to help detect and prevent viruses and malware on OS X. To get all of this work done they utilize a privilege helper tool running as root. This allows the application to remove and modify system files.\n\nThe vulnerability arises in `removeASL` functionality of the helper protocol. The code for this function is shown below:\n \n \n v5 = objc_retain(a3);\n if ( !+[CMLaunchdManager stopAgentWithLabel:]( [0]\n &OBJC_CLASS___CMLaunchdManager,\n \"stopAgentWithLabel:\",\n CFSTR(\"com.apple.syslogd\"),\n v4) )\n {\n v11 = \"Failed to stop com.apple.syslogd\";\n goto LABEL_11;\n }\n if ( !+[CMLaunchdManager stopAgentWithLabel:]( [1]\n &OBJC_CLASS___CMLaunchdManager,\n \"stopAgentWithLabel:\",\n CFSTR(\"com.apple.aslmanager\")) )\n {\n v11 = \"Failed to stop com.apple.aslmanager\";\n goto LABEL_11;\n }\n v6 = objc_msgSend(&OBJC_CLASS___NSFileManager, \"defaultManager\");\n v7 = objc_retainAutoreleasedReturnValue(v6);\n v8 = objc_msgSend(v7, \"removeContentsOfDirectoryAtPath:\", CFSTR(\"/var/log/asl\")); [2]\n objc_release(v7);\n \n\nAt location [0], the process calls out and stops the system daemon for logging and at location [1], does the same thing for Apple System Log facility. As both of these are root daemons this creates a privilege issue. At location [2] all logs stored by the Apple System Log facility are then deleted crossing another privilege boundary as all these logs are protected by root. There is no validation of the calling application thus any application is able to access this function. This crosses a privilege boundary allowing non-root users to delete privileged information about a package.\n\n### Exploit Proof of Concept\n\nIncluded with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.\n\n### Timeline\n\n2018-11-20 - Vendor Disclosure \n2018-12-27 - Vendor Patched \n2019-01-02 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0718\n\nPrevious Report\n\nTALOS-2018-0716\n", "edition": 3, "modified": "2019-01-02T00:00:00", "published": "2019-01-02T00:00:00", "id": "TALOS-2018-0717", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0717", "title": "Clean My Mac X removeASL Privilege Escalation Vulnerability", "type": "talos", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}}]}