Allele Security Alert
ASA-2019-00038
Identifier(s)
ASA-2019-00038, KB004
Title
Local Privilege Escalation in MacOS via Keybase Helper
Vendor(s)
Keybase
Product(s)
Keybase
Affected version(s)
Keybase before 2.12.6
Fixed version(s)
Keybase 2.13
Proof of concept
Unknown
Description
After our previous security disclosure, the Keybase update/installer system has attracted additional scrutiny from security researchers. We collected reports from five researchers who found further bugs in the Keybase Helper process and Keybase Installer process, both of which are used to keep Keybase up-to-date without user intervention.
There were three bugs found in these reports: (1) there was a race condition in code that checked that the Helper was talking to an authorized Installer, primarily due to the fact that Apple does not publish the secure APIs for so doing; (2) there was a time-to-check-time-to-use (TOCTOU) bug in placing the redirector process into its run location, that would allow an attacker to fool the installer into putting a symbolic link into a secure location, that could then be replaced; and (3) the move RPC to the Helper was susceptible to TOCTOU bugs and would also allow one users of the system (who didn’t have root access) to tamper with another’s installs.
Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.
Technical details
Unknown
Credits
Rich Mirch, 0xCCCC, Jan Votava, jinmo123, Nicolas Trippar
Reference(s)
Local Privilege Escalation in MacOS via Keybase Helper (KB004)
https://keybase.io/docs/secadv/kb004
macOS privilege escalation via keybase install
https://hackerone.com/reports/471739
Privilege Escalation via Keybase Helper (incomplete security fix)
https://hackerone.com/reports/470003
Local privilege escalation bug using Keybase redirector on macOS
https://hackerone.com/reports/470398
Privilege Escalation through Keybase Installer via Helper
https://hackerone.com/reports/473252
relax the admin check and simplify the helper
https://github.com/keybase/client/commit/2be68d4bdcab931b49b3ecd5fbe21a4d4493f268#diff-83d62ffede33f42f62b99d98fee07152L103
relax the admin check and simplify the helper
https://github.com/keybase/client/commit/2be68d4bdcab931b49b3ecd5fbe21a4d4493f268#diff-80a111243b08af81f9acd05f5da18bb4R93
installer upgrades
https://github.com/keybase/client/commit/363e5462a0805db3fb5b5e31f9f5bc2d4d01964f#diff-83d62ffede33f42f62b99d98fee07152R204
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 2, 2019