ASA-2019-00038 – Keybase: Local Privilege Escalation in MacOS via Keybase Helper

Allele Security Alert



ASA-2019-00038, KB004


Local Privilege Escalation in MacOS via Keybase Helper





Affected version(s)

Keybase before 2.12.6

Fixed version(s)

Keybase 2.13

Proof of concept



After our previous security disclosure, the Keybase update/installer system has attracted additional scrutiny from security researchers. We collected reports from five researchers who found further bugs in the Keybase Helper process and Keybase Installer process, both of which are used to keep Keybase up-to-date without user intervention.

There were three bugs found in these reports: (1) there was a race condition in code that checked that the Helper was talking to an authorized Installer, primarily due to the fact that Apple does not publish the secure APIs for so doing; (2) there was a time-to-check-time-to-use (TOCTOU) bug in placing the redirector process into its run location, that would allow an attacker to fool the installer into putting a symbolic link into a secure location, that could then be replaced; and (3) the move RPC to the Helper was susceptible to TOCTOU bugs and would also allow one users of the system (who didn’t have root access) to tamper with another’s installs.

Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.

Technical details



Rich Mirch, 0xCCCC, Jan Votava, jinmo123, Nicolas Trippar


Local Privilege Escalation in MacOS via Keybase Helper (KB004)

macOS privilege escalation via keybase install

Privilege Escalation via Keybase Helper (incomplete security fix)

Local privilege escalation bug using Keybase redirector on macOS

Privilege Escalation through Keybase Installer via Helper

relax the admin check and simplify the helper

relax the admin check and simplify the helper

installer upgrades

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.