Talos Vulnerability Report

TALOS-2018-0710

CleanMyMac X removeDiagnosticLogs privilege escalation vulnerability

January 2, 2019
CVE Number

CVE-2018-4037

Summary

The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access can use this vulnerability to modify the file system as root.

Tested Versions

Clean My Mac X 4.04

Product URLs

https://macpaw.com/cleanmymac

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

CleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.

The vulnerability arises in removeDiagnosticLogs function of the helper protocol. The code for this function is:

 _mm_store_si128(
  (__m128i *)&v6,
  _mm_unpacklo_epi64((__m128i)(unsigned __int64)CFSTR("erase"), (__m128i)(unsigned __int64)CFSTR("--all")));    [0]
v3 = objc_retain(a3);
v4 = objc_msgSend(&OBJC_CLASS___NSArray, "arrayWithObjects:count:", &v6, 2LL);
v5 = objc_retainAutoreleasedReturnValue(v4);
((void (__fastcall *)(__objc2_class *, const char *, const __CFString *, __int64, const __CFString *, __int64))objc_msgSend)(                                                                                                   [1]
  &OBJC_CLASS___CMTaskRunner,
  "launchTask:arguments:standartInput:completionHandler:",
  CFSTR("/usr/bin/log"),
  v5,
  CFSTR("y"),
  v3);

At location [0], a string is constructed containing the objective-c strings, erase and all. Looking further down at location [1], there is a call to launchTask with /usr/bin/log as the argument and the variable with the created strings from above. Looking at the manual pages for the log binary, we see:

--all Deletes main log datastore, and inflight log data as well as time-to-live data (TTL), and the fault and error content.

There is no validation of the calling application. Therefore, any application is able to access this function and because this is a privileged helper, it runs as root.

Thus, any application is able to delete the main log data from the system clearly crossing a privilege boundary when accessed by a non-root user.

Exploit Proof of Concept

Included with this advisory is an Xcode project and a Python script. The Python script needs an administrator’s password to set up some root files on the system before exploiting the vulnerabilities. The Xcode project contains the proof of concept. Users should be careful when running removeDiagnosticLogs, as this will delete the logs from their system.

Timeline

2018-11-09 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.