Local Privilege Escalation in MacOS via Keybase Helper (KB001)
2018 Dec 18
The Keybase Helper process allows Keybase clients on MacOS to upgrade the FUSE kext and to load it on machine startup. In versions prior to v2.5.2, this helper process did insufficient permission checking and could allow non-Keybase software to install files in sensitive locations. Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.
This attack was discovered by HackerOne researcher Adam Chester in late August 2018. We are deeply thankful to Adam for doing such good research and for sharing his findings in such a timely and responsible manner.
A key upstream library used in the helper process improved authentication checks, and we incorporated these improvements into our software. The result is the intended prevention of non-Keybase software from abusing the helper process. We released this fix in v2.5.2 in early September 2018.
Keybase versions on MacOS prior to 2.5.2.
Upgrade to v2.11 or above. Almost all users received a patched version via automatic upgrades shortly after the bug was discovered.
- 2018 Aug 20 — Vulnerability reported via HackerOne
- 2018 Sep 6 — Fix committed to master
- 2018 Sep 6 — New MacOS release (2.5.2-20180906142014+a801e75b82) pushed out via auto-updater
- 2018 Dec 3 — E-mails sent out to all users still running affected versions, asking for users to upgrade
- 2018 Dec 4 - In-app warnings sent out to all old applications, asking for users to ugprade
- 2018 Dec 6 — In-app message from max asking for users to upgrade
- 2018 Dec 7 — Affected versions bricked via server switch
- 2018 Dec 18 — This announcement