ASA-2019-00038 – Keybase: Local Privilege Escalation in MacOS via Keybase Helper

After our previous security disclosure, the Keybase update/installer system has attracted additional scrutiny from security researchers. We collected reports from five researchers who found further bugs in the Keybase Helper process and Keybase Installer process, both of which are used to keep Keybase up-to-date without user intervention. There were three bugs found in these reports: (1) there was a race condition in code that checked that the Helper was talking to an authorized Installer, primarily due to the fact that Apple does not publish the secure APIs for so doing; (2) there was a time-to-check-time-to-use (TOCTOU) bug in placing the redirector process into its run location, that would allow an attacker to fool the installer into putting a symbolic link into a secure location, that could then be replaced; and (3) the move RPC to the Helper was susceptible to TOCTOU bugs and would also allow one users of the system (who didn't have root access) to tamper with another's installs. Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.