Talos Vulnerability Report

TALOS-2018-0720

Clean My Mac X pleaseTerminate denial-of-service vulnerability

January 2, 2019
CVE Number

CVE-2018-4046

Summary

An exploitable denial-of-service vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. A user with local access can use this vulnerability to terminate a privileged helper application. An attacker would need local access to the machine for a successful exploit.

Tested Versions

Clean My Mac X 4.04

Product URLs

https://macpaw.com/cleanmymac

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

CleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.

The vulnerability arises in the pleaseTerminate function of the helper protocol. The code for this function is:

v2 = -[CMPriviligedOperations xpcConnection](self, "xpcConnection");
v3 = objc_retainAutoreleasedReturnValue(v2);
objc_msgSend(v3, "suspend");
objc_release(v3);
exit(0);                                                                  [0]

At location [0], the process terminates itself. This code runs inside of the root daemon and has no validation of the calling application, therefore, any application is able to access this function. This crosses a privilege boundary, allowing non-root users to terminate the root daemon thus circumventing any protection offered by this daemon.

Exploit Proof of Concept

Included with this advisory is an Xcode project, as well as a Python script. The Python script needs an administrator’s password to set up some root files on the system and exploit the vulnerability. The Xcode project contains the proof of concept.

Timeline

2018-11-20 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.