ASA-2018-00094 – Keybase: Untrusted search path allows privilege escalation

Allele Security Alert



ASA-2018-00094, CVE-2018-18629


Untrusted search path allows privilege escalation





Affected version(s)

Keybase versions release on or after March 1, 2018 (commit 06b97bb3), and prior to 2.8.0-20181023124437

Fixed version(s)

Keybase 2.8.0-20181023124437 or above

Proof of concept



The Keybase file system redirector controls the /keybase mountpoint on Linux machines (and macOS machines that have enabled Finder integration). In order to support multiple users running Keybase on the same machine, both able to access the Keybase file system through /keybase paths, this mountpoint acts as a redirector, using FUSE to present symlinks to user, redirecting them to their personal Keybase file system mountpoint (usually located at /run/user/UID/keybase/kbfs on Linux, though it varies by OS distribution and local configuration). The binary that creates this mountpoint is called keybase-redirector, and the Keybase package installer sets its suid bit so that it can have root permissions, which are necessary to create the /keybase mountpoint and to mount a FUSE file system that can be accessed by multiple users. It is executable by any user, since users run Keybase under their own accounts.

The attack was possible due to a previous version of keybase-redirector that used the fusermount binary to create the /keybase mountpoint. It did this indirectly through a call to the Mount() function in the Go library (forked for Keybase here), after obtaining root privileges. That function used Go’s exec.Command function to execute a call to fusermount. However, it did not specify an absolute path or clear the environment when doing so. Because of this, malicious software running on the user’s computer could make any executable named fusermount, set their $PATH environment variable to include the directory containing that executable, and call keybase-redirector, tricking it into running that executable with root permissions.

Technical details



Rich Mirch (mirchr)


CVE-2018-18629: Keybase Linux privilege escalation

Local Privilege Escalation on Linux via keybase-redirector (KB002)

PoC for CVE-2018-18629 Keybase Linux Privilege Escalation

Linux privilege escalation via trusted $PATH in keybase-redirector



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.