Recently addressed vulnerabilities in the popular macOS cleanup application CleanMyMac X could allow attackers to modify the file system as root, Cisco Talos security researchers reveal.
Created by MacPaw, CleanMyMac X allows users to scan their macOS machines for unused or unnecessary files and delete them to free up extra space. The application includes various other optimization and performance monitor functions, and can also remove malware.
Talos’ security researchers found a total of 13 vulnerabilities in version 4.04 of the application, 12 of which are privilege escalation flaws, while the last is a denial-of-service issue.
Tracked as CVE-2018-4032 and CVE-2018-4033, the first two privilege escalation bugs reside in the `moveItemAtPath` and `moveToTrashItemAtPath` functions of the helper protocol, respectively. Because CleanMyMac X improperly validates inputs, an attacker can use `nil` to function arguments, resulting in any other application accessing that function and deleting files from the root file system.
Three other flaws, CVE-2018-4034, CVE-2018-4035, and CVE-2018-4036, impact the `removeItemAtPath`, `truncateFileAtPath`, and `removeKextAtPath` functions of the helper protocol, respectively. Lack of validation makes it possible for any application to access these functions and run them as root, which could allow an attacker to delete files from the root file system.
The next three flaws, CVE-2018-4037, CVE-2018-4041, and CVE-2018-4042, impact the `removeDiagnosticsLogs`, the `enableLaunchdAgentAtPath`, and the `removeLaunchdAgentAtPath` functions of the helper protocol and could be exploited by a non-root user to delete the main log data from the system.
The CVE-2018-4043 and CVE-2018-4044 flaws reside in the `removeASL` and the `removePackageWithID` functions of the helper protocol and could be exploited by non-root users to delete a package’s privileged information.
Also a privilege escalation vulnerability, CVE-2018-4045 impacts the `securelyRemoveItemAtPath` function of the helper protocol and could allow non-root users to delete files from the root file system.
CleanMyMac X’s helper service is also impacted by a denial-of-service issue, due to improper input validation. Residing in the `pleaseTerminate` function, the vulnerability is caused by the lack of validation of the calling application, which allows non-root users to terminate this root daemon.
Another privilege escalation vulnerability in the software’s helper service impacts the `disableLaunchdAgentAtPath` function and is also the result of lack of validation, potentially allowing any non-root users to uninstall `launchd` scripts as root.
“It is recommended that users update to the latest version of this software (CleanMyMac X version 4.2.0). There are several ways in which an attacker could bypass the usual protections in place to acquire greater access to the machine and modify the file system as root,” Talos concludes.