Local Privilege Escalation on Linux via keybase-redirector (KB002)
2018 Dec 18
file system redirector
/keybase mountpoint on Linux machines (and macOS
machines that have enabled Finder integration). In order to support
multiple users running Keybase on the same machine, both able to
access the Keybase file system through
/keybase paths, this
mountpoint acts as a redirector, using FUSE to present symlinks to
user, redirecting them to their personal Keybase file system
mountpoint (usually located at
/run/user/UID/keybase/kbfs on Linux,
though it varies by OS distribution and local configuration). The
binary that creates this mountpoint is called
and the Keybase package installer sets its suid bit so that it can
have root permissions, which are necessary to create the
mountpoint and to mount a FUSE file system that can be accessed by
multiple users. It is executable by any user, since users run
Keybase under their own accounts.
The attack was possible due to a previous version of
keybase-redirector that used the
fusermount binary to create the
/keybase mountpoint. It did this indirectly through a call to the
Mount() function in the Go library
bazil.org/fuse (forked for Keybase
here), after obtaining root
privileges. That function used Go's
exec.Command function to
execute a call to
fusermount. However, it did not specify an
absolute path or clear the environment when doing so. Because of
this, malicious software running on the user's computer could make any
fusermount, set their
$PATH environment variable
to include the directory containing that executable, and call
keybase-redirector, tricking it into running that executable with
Note that macOS was not vulnerable to this bug, because
keybase-redirector does not have the suid bit set on that platform.
It is only run by root via the Keybase helper.
This attack was discovered by HackerOne researcher Rich Mirch (mirchr) on 2018 Oct 22. We are deeply thankful to Rich for doing such good research and for sharing his findings in such a timely and responsible manner.
The immediate fix was a change to
restrict the PATH used by keybase-redirector.
Later, we further hardened the redirector by
directly using the
Mount syscall instead of a separate binary
when running as root, and
minimizing the time we use root privileges.
The result is that
keybase-redirector no longer executes other
binaries, and only uses root permissions while performing the
syscall. It reverts to user permissions while serving FUSE requests
for users of the
We released the initial fix in late October 2018 (2.8.0-20181023124437), and the further-hardened version in November 2018 (2.10.0-20181112152732).
Keybase versions release on or after March 1, 2018 (commit 06b97bb3), and prior to 2.8.0-20181023124437.
Upgrade to 2.8.0-20181023124437 or above. All package repos received an upgraded package shortly after the bug was discovered.
It is also possible to disable the file system redirector if it's not wanted. See the instructions here under "Root redirector".
- 2018 Oct 22 — Vulnerability reported to HackerOne
- 2018 Oct 22 — Fix commited to master
- 2018 Oct 23 — New Linux release (2.8.0-20181023124437) pushed out to distribution package repositories for Ubuntu, Red Hat, and Arch
- 2018 Nov 11 — Subsequent release with further hardening ((2.10.0-20181112152732)
- 2018 Dec 3 — E-mails sent out to all users still running affected versions, asking for users to upgrade
- 2018 Dec 4 — In-app warnings sent out to all old applications, asking for users to ugprade
- 2018 Dec 6 — In-app message from max asking for users to upgrade
- 2018 Dec 11 — Affected versions bricked via server switch
- 2018 Dec 18 — This announcement