Recently hackers have used the vulnerabilities in the popular macOS cleanup application CleanMyMac X to modify the file system as root.
For those who don’t know CleanMyMac X is created by MacPaw, by using it you can scan your macOS machine for unused or unnecessary files and delete them to free up extra space. The application also includes various other optimization and performance monitor functions, and it is advertised that it can also remove malware.
Sadly the reality is very different from the advertised one, it was found that hackers have used a total of 13 vulnerabilities, which are present in version 4.04 of the application, to gain privilege escalation rights and launch denial-of-service cyber attacks.
The first tow flaws are CVE-2018-4032 and CVE-2018-4033, these two are privilege escalation bugs and made possible thanks to the
moveToTrashItemAtPath functions of the helper protocol. Because of them the app improperly validates inputs, so a hacker can use
nil to function arguments in order to access that function and delete whatever files he wants from the root file system.
Next flaws that were used by hackers are CVE-2018-4034, CVE-2018-4035, and CVE-2018-4036. They are based on the
removeKextAtPath functions of the helper protocol. In this case, the lack of validation makes it possible for any application to access these functions and run them as root and delete files from the root file system.
It was also discovered that another three flaws, CVE-2018-4037, CVE-2018-4041, and CVE-2018-4042, that are present in the
enableLaunchdAgentAtPath, and the
removeLaunchdAgentAtPath functions of the helper protocol, can be exploited by a hacker with non-root user privilege to delete the main log data from the system.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Bad news continues because the problems don’t stop here, another tow flaws CVE-2018-4043 and CVE-2018-4044 are made possible by the
removeASL and the
removePackageWithID functions of the helper protocol; they too can be exploited by non-root users to delete a package’s privileged information.
The last privilege escalation vulnerability is CVE-2018-4045 and it impacts the
securelyRemoveItemAtPath function of the helper protocol and could also allow non-root users to delete files from the root file system.
The denial-of-service one it happens due to improper input validation too. It uses
pleaseTerminate function to terminate this root daemon.
Experts recommend to all CleanMyMac X users to update it to the latest version or to delete it for better protection because hackers always find ways in which they could bypass the usual fixes in place to acquire greater access to the machine and modify the file system as root.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.