CVE-2018-10171 – CVE-2018-10171 is a critical privilege escalati... (How to Fix)

📋 TL;DR

CVE-2018-10171 is a critical privilege escalation vulnerability in MacKeeper 3.20.4 that allows unprivileged applications to execute arbitrary shell commands as root through a vulnerable XPC service. This affects all Mac users running the vulnerable version of MacKeeper software. Attackers can gain complete control of affected systems without authentication.

💻 Affected Systems

Products:

Kromtech MacKeeper

Versions: 3.20.4 and likely earlier versions

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the default installation of MacKeeper. No special configuration is required for exploitation.

📦 What is this software?

Mackeeper by Kromtech

View all CVEs affecting Mackeeper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing installation of persistent malware, data theft, and full control over the macOS system.

🟠

Likely Case

Local attackers or malware gaining root privileges to install additional payloads, modify system files, or establish persistence.

🟢

If Mitigated

Limited impact if MacKeeper is not installed or properly updated, though any vulnerable installation remains at high risk.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation requiring local access or malware execution first.

🏢 Internal Only: HIGH - Any user or malware with local access can exploit this to gain root privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once an attacker has user-level access. The XPC service flaw makes exploitation simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.20.4

Vendor Advisory: https://mackeeper.com/blog/post/security-update

Restart Required: No

Instructions:

1. Open MacKeeper application
2. Check for updates in settings
3. Install any available updates
4. Verify version is newer than 3.20.4

🔧 Temporary Workarounds

Remove vulnerable component

all

Remove the vulnerable AdwareAnalyzerPrivilegedHelper XPC service

sudo rm -rf /Library/PrivilegedHelperTools/com.mackeeper.AdwareAnalyzer.AdwareAnalyzerPrivilegedHelper
sudo rm -rf /Library/LaunchDaemons/com.mackeeper.AdwareAnalyzer.AdwareAnalyzerPrivilegedHelper.plist

Uninstall MacKeeper

all

Completely remove MacKeeper from the system

Use MacKeeper's built-in uninstaller or manually remove all components

🧯 If You Can't Patch

Remove MacKeeper entirely from affected systems
Implement strict application control to prevent unauthorized applications from running

🔍 How to Verify

Check if Vulnerable:

Check if com.mackeeper.AdwareAnalyzer.AdwareAnalyzerPrivilegedHelper exists: ls -la /Library/PrivilegedHelperTools/

Check Version:

Check MacKeeper About section or look for version in application bundle

Verify Fix Applied:

Verify the helper tool is removed or MacKeeper version is >3.20.4

📡 Detection & Monitoring

Log Indicators:

Unusual root privilege escalation attempts
Execution of shell commands via XPC service
Processes running as root from user applications

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

Process creation where parent process is XPC service and user transitions from non-root to root

📊 Metadata

CVE ID: CVE-2018-10171

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: June 5, 2019

Last Updated: November 21, 2024

🔗 References

https://versprite.com/advisories/mackeeper/ Third Party Advisory
https://versprite.com/advisories/mackeeper/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10171, you might also want to check these: