MacPaw’s CleanMyMac X software is a cleanup application used to free up the disk space on users’ machines by scanning for unused and unnecessary files and deleting them. Researchers recently spotted several privilege escalation vulnerabilities in the software which could allow attackers to gain local access to victims’ machines. The attackers could then modify the file system as root.
Researchers from Cisco Talos detected 13 privilege escalation vulnerabilities in CleanMyMac X software. Talos has tested and confirmed that Clean My Mac X, version 4.04 is affected by all of these vulnerabilities.
Delete files from the root file system
One of the privilege escalation vulnerability arises in the ‘moveItemAtPath’ function of the helper protocol as CleanMyMac X software improperly validates the inputs. This vulnerability could allow non-root users to delete files from the root file system.
Similar vulnerabilities that arise in ‘moveToTrashItemAtPath’, ‘removeItemAtPath’, ‘truncateFileAtPath’, and ‘removeKextAtPath’ of the helper could allow non-root users to cross privilege boundary and delete files from the root file system.
Delete main log data from the root file system
Another set of vulnerabilities that arise in ‘removeDiagnosticsLogs’, ‘enableLaunchdAgentAtPath’, and ‘removeLaunchdAgentAtPath’ of the helper protocol could allow non-root users to delete main log data from the system.
Delete a package's privileged information from the system
The vulnerabilities that arise in ‘removeASL’ and ‘removePackageWithID’ of the helper protocol exists in a way that the cleanup software improperly validates the inputs. These bugs could allow non-root users to cross privilege boundary and delete a package’s privileged information from the root file system.
Terminate root daemon
This vulnerability also exists in the helper protocol of the CleanMyMac X software. This privilege escalation bug arises in the ‘pleaseTerminate’ function of the helper protocol allowing non-root users to terminate this root daemon.
Uninstall 'launchd' scripts as root
This particular bug which arises in the ‘disableLaunchdAgentAtPath’ function of the helper protocol allows non-root users to exploit the vulnerability and uninstall ‘launchd’ scripts as root.
Further details on all the vulnerabilities can be found at the Talos blog. Researchers from Cisco Talos have reported these vulnerabilities to MacPaw and are closely working with them to ensure these issues are fixed.
Talos recommends all users to update to the latest version of CleanMyMac X (version 4.2.0).