Allele Security Alert
Untrusted search path allows privilege escalation
Keybase versions release on or after March 1, 2018 (commit 06b97bb3), and prior to 2.8.0-20181023124437
Keybase 2.8.0-20181023124437 or above
Proof of concept
The Keybase file system redirector controls the /keybase mountpoint on Linux machines (and macOS machines that have enabled Finder integration). In order to support multiple users running Keybase on the same machine, both able to access the Keybase file system through /keybase paths, this mountpoint acts as a redirector, using FUSE to present symlinks to user, redirecting them to their personal Keybase file system mountpoint (usually located at /run/user/UID/keybase/kbfs on Linux, though it varies by OS distribution and local configuration). The binary that creates this mountpoint is called keybase-redirector, and the Keybase package installer sets its suid bit so that it can have root permissions, which are necessary to create the /keybase mountpoint and to mount a FUSE file system that can be accessed by multiple users. It is executable by any user, since users run Keybase under their own accounts.
The attack was possible due to a previous version of keybase-redirector that used the fusermount binary to create the /keybase mountpoint. It did this indirectly through a call to the Mount() function in the Go library bazil.org/fuse (forked for Keybase here), after obtaining root privileges. That function used Go’s exec.Command function to execute a call to fusermount. However, it did not specify an absolute path or clear the environment when doing so. Because of this, malicious software running on the user’s computer could make any executable named fusermount, set their $PATH environment variable to include the directory containing that executable, and call keybase-redirector, tricking it into running that executable with root permissions.
Rich Mirch (mirchr)
CVE-2018-18629: Keybase Linux privilege escalation
Local Privilege Escalation on Linux via keybase-redirector (KB002)
PoC for CVE-2018-18629 Keybase Linux Privilege Escalation
Linux privilege escalation via trusted $PATH in keybase-redirector
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019