An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application failed to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
Clean My Mac X 4.20
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-459: Incomplete Cleanup
CleanMyMac X is an all-in-one Mac cleaning tool. The application is able to scan through system and user directories looking for unused and leftover files and applications. The application also markets the ability to help detect and prevent viruses and malware on OS X. To get all of this work done, they utilize a privilege helper tool running as root. This allows the application to remove and modify system files.
The vulnerability references TALOS-2018-0705 to TALOS-2018-0710 and TALOS-2018-0714 to TALOS-2018-0721. Upon installing the provided update, the vulnerable code is still left intact and listening on the system. This means that, although the application no longer uses the vulnerable code, it is still available for an attacker to take advantage of.
Included with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator’s password to set up some root files on the system to demonstrate the vulnerabilities. The Xcode project contains the proof of concept.
2019-01-15 - Vendor Disclosure
2019-03-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.