ASA-2018-00094 – Keybase: Untrusted search path allows privilege escalation


Allele Security Alert

ASA-2018-00094

Identifier(s)

ASA-2018-00094, CVE-2018-18629

Title

Untrusted search path allows privilege escalation

Vendor(s)

Keybase

Product(s)

Keybase

Affected version(s)

Keybase versions release on or after March 1, 2018 (commit 06b97bb3), and prior to 2.8.0-20181023124437

Fixed version(s)

Keybase 2.8.0-20181023124437 or above

Proof of concept

Yes

Description

The Keybase file system redirector controls the /keybase mountpoint on Linux machines (and macOS machines that have enabled Finder integration). In order to support multiple users running Keybase on the same machine, both able to access the Keybase file system through /keybase paths, this mountpoint acts as a redirector, using FUSE to present symlinks to user, redirecting them to their personal Keybase file system mountpoint (usually located at /run/user/UID/keybase/kbfs on Linux, though it varies by OS distribution and local configuration). The binary that creates this mountpoint is called keybase-redirector, and the Keybase package installer sets its suid bit so that it can have root permissions, which are necessary to create the /keybase mountpoint and to mount a FUSE file system that can be accessed by multiple users. It is executable by any user, since users run Keybase under their own accounts.

The attack was possible due to a previous version of keybase-redirector that used the fusermount binary to create the /keybase mountpoint. It did this indirectly through a call to the Mount() function in the Go library bazil.org/fuse (forked for Keybase here), after obtaining root privileges. That function used Go’s exec.Command function to execute a call to fusermount. However, it did not specify an absolute path or clear the environment when doing so. Because of this, malicious software running on the user’s computer could make any executable named fusermount, set their $PATH environment variable to include the directory containing that executable, and call keybase-redirector, tricking it into running that executable with root permissions.

Technical details

Unknown

Credits

Rich Mirch (mirchr)

Reference(s)

CVE-2018-18629: Keybase Linux privilege escalation
https://blog.mirch.io/2018/12/21/cve-2018-18629-keybase-linux-privilege-escalation/

Local Privilege Escalation on Linux via keybase-redirector (KB002)
https://keybase.io/docs/secadv/kb002

PoC for CVE-2018-18629 Keybase Linux Privilege Escalation
https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2018-18629.sh

Linux privilege escalation via trusted $PATH in keybase-redirector
https://hackerone.com/reports/426944

CVE-2018-18629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18629

CVE-2018-18629
https://nvd.nist.gov/vuln/detail/CVE-2018-18629

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019