Talos Vulnerability Report

TALOS-2018-0717

Clean My Mac X removeASL Privilege Escalation Vulnerability

January 2, 2019
CVE Number

CVE-2018-4043

Summary

An exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.

Tested Versions

Clean My Mac X 4.04

Product URLs

https://macpaw.com/cleanmymac

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

Clean My Mac X is an all in one Mac cleaning tool. The application is able to scan through system and user directories looking for unused and leftover files and applications. The applications also markets ability to help detect and prevent viruses and malware on OS X. To get all of this work done they utilize a privilege helper tool running as root. This allows the application to remove and modify system files.

The vulnerability arises in removeASL functionality of the helper protocol. The code for this function is shown below:

  v5 = objc_retain(a3);
  if ( !+[CMLaunchdManager stopAgentWithLabel:](                                       [0]
          &OBJC_CLASS___CMLaunchdManager,
          "stopAgentWithLabel:",
          CFSTR("com.apple.syslogd"),
          v4) )
  {
    v11 = "Failed to stop com.apple.syslogd";
    goto LABEL_11;
  }
  if ( !+[CMLaunchdManager stopAgentWithLabel:](                                        [1]
          &OBJC_CLASS___CMLaunchdManager,
          "stopAgentWithLabel:",
          CFSTR("com.apple.aslmanager")) )
  {
    v11 = "Failed to stop com.apple.aslmanager";
    goto LABEL_11;
  }
  v6 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager");
  v7 = objc_retainAutoreleasedReturnValue(v6);
  v8 = objc_msgSend(v7, "removeContentsOfDirectoryAtPath:", CFSTR("/var/log/asl"));      [2]
  objc_release(v7);

At location [0], the process calls out and stops the system daemon for logging and at location [1], does the same thing for Apple System Log facility. As both of these are root daemons this creates a privilege issue. At location [2] all logs stored by the Apple System Log facility are then deleted crossing another privilege boundary as all these logs are protected by root. There is no validation of the calling application thus any application is able to access this function. This crosses a privilege boundary allowing non-root users to delete privileged information about a package.

Exploit Proof of Concept

Included with this advisory is an Xcode project as well as a Python script. The Python script needs an administrator password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.

Timeline

2018-11-20 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.