A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access

[silversurfer]

A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways.

CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 earlier versions of the software, all of them in the package’s “helper protocol.”

“The application is able to scan the system and user directories, looking for unused and leftover files and applications,” explained Cisco in the advisory, issued Wednesday. “The application also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.”

As such, the helper functions run as root functions; the flaws arise from the act that they can be accessed by applications without validation – thus giving those applications root access.

Source: https://threatpost.com/flaws-mac-clean-up-root/140551/