ASA-2019-00038 – Keybase: Local Privilege Escalation in MacOS via Keybase Helper


Allele Security Alert

ASA-2019-00038

Identifier(s)

ASA-2019-00038, KB004

Title

Local Privilege Escalation in MacOS via Keybase Helper

Vendor(s)

Keybase

Product(s)

Keybase

Affected version(s)

Keybase before 2.12.6

Fixed version(s)

Keybase 2.13

Proof of concept

Unknown

Description

After our previous security disclosure, the Keybase update/installer system has attracted additional scrutiny from security researchers. We collected reports from five researchers who found further bugs in the Keybase Helper process and Keybase Installer process, both of which are used to keep Keybase up-to-date without user intervention.

There were three bugs found in these reports: (1) there was a race condition in code that checked that the Helper was talking to an authorized Installer, primarily due to the fact that Apple does not publish the secure APIs for so doing; (2) there was a time-to-check-time-to-use (TOCTOU) bug in placing the redirector process into its run location, that would allow an attacker to fool the installer into putting a symbolic link into a secure location, that could then be replaced; and (3) the move RPC to the Helper was susceptible to TOCTOU bugs and would also allow one users of the system (who didn’t have root access) to tamper with another’s installs.

Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.

Technical details

Unknown

Credits

Rich Mirch, 0xCCCC, Jan Votava, jinmo123, Nicolas Trippar

Reference(s)

Local Privilege Escalation in MacOS via Keybase Helper (KB004)
https://keybase.io/docs/secadv/kb004

macOS privilege escalation via keybase install
https://hackerone.com/reports/471739

Privilege Escalation via Keybase Helper (incomplete security fix)
https://hackerone.com/reports/470003

Local privilege escalation bug using Keybase redirector on macOS
https://hackerone.com/reports/470398

Privilege Escalation through Keybase Installer via Helper
https://hackerone.com/reports/473252

relax the admin check and simplify the helper
https://github.com/keybase/client/commit/2be68d4bdcab931b49b3ecd5fbe21a4d4493f268#diff-83d62ffede33f42f62b99d98fee07152L103

relax the admin check and simplify the helper
https://github.com/keybase/client/commit/2be68d4bdcab931b49b3ecd5fbe21a4d4493f268#diff-80a111243b08af81f9acd05f5da18bb4R93

installer upgrades
https://github.com/keybase/client/commit/363e5462a0805db3fb5b5e31f9f5bc2d4d01964f#diff-83d62ffede33f42f62b99d98fee07152R204

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.