The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root.
Clean My Mac X 4.04
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-19: Improper Input Validation
CleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.
The vulnerability arises in
moveToTrashItemAtPath functionality of the helper protocol. The code for this function is:
path = objc_retain(a3); v6 = objc_retain(a4); v7 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager"); v8 = (void *)objc_retainAutoreleasedReturnValue(v7); v10 = 0LL; v11 = objc_msgSend(v8, "advancedMoveItemAtPath:toPath:error:", path, 0LL, &v10); 
At location , a user-supplied argument is passed into the function
advancedMoveItemAtPath. The file is deleted if
nil is entered into the fourth argument. There is no validation of the calling application. Therefore, any application is able to access this function, and because this is a privileged helper, it runs as root. This crosses a privilege boundary, allowing non-root users to delete files from the root file system.
Included with this advisory is an Xcode project and a Python script. The Python script needs an administrator password to set up some root files on the system before it can exploit these vulnerabilities. The Xcode project contains the proof of concept.
2018-11-09 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release
Discovered by Tyler Bohan of Cisco Talos.