Local Privilege Escalation in MacOS via Keybase Helper (KB004)

Publication Date

2018 Jan 30

Externals Links

• HackerOne Report: macOS privilege escalation via keybase install
• HackerOne Report: Privilege Escalation via Keybase Helper (incomplete security fix)
• HackerOne Report: Local privilege escalation bug using Keybase redirector on macOS
• HackerOne Report: Privilege Escalation through Keybase Installer via Helper

Description

After our previous security disclosure, the Keybase update/installer system has attracted additional scrutiny from security researchers. We collected reports from five researchers who found further bugs in the Keybase Helper process and Keybase Installer process, both of which are used to keep Keybase up-to-date without user intervention.

There were three bugs found in these reports: (1) there was a race condition in code that checked that the Helper was talking to an authortized Installer, primarily due to the fact that Apple does not publish the secure APIs for so doing; (2) there was a time-to-check-time-to-use (TOCTOU) bug in placing the redirector process into its run location, that would allow an attacker to fool the installer into putting a symbolic link into a secure location, that could then be replaced; and (3) the move RPC to the Helper was susceptible to TOCTOU bugs and would also allow one users of the system (who didn't have root access) to tamper with another's installs.

Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.

We thank the following HackerOne researchers for their excellent research, and their responsible and timely reporting:

• Rich Mirch
• 0xCCCC
• Jan Votava
• jinmo123
• Nicolas Trippar

The Fix

These reports prompted us to rearchitect our Helper, to signifcantly reduce the width of its API. In particular, the move RPC has been retired, and the install of the new application is done outside of the privileged Helper, without escalated privileges. Also, we're now careful to check file types when moving files to privileged locations to avoid symlink-based-attacks.

Affected Versions

Keybase versions release prior to 2.12.6, released on January 1, 2018.

Remediation

Upgrade to v2.13 or above. Almost all users received a patched version via automatic upgrades shortly after the bug was discovered.

Timeline

• 2018 Dec 19 through 29 — Vulnerabilities reported via HackerOne
• 2018 Dec 28 - Partial fix released in 2.12.4-20181228150844+7724569b6d
• 2019 Jan 01 - Complete fix released in 2.12.6-20190103194556+07470de987
• 2019 Jan 15 - Subsequent minor release in 2.13.0
• 2019 Jan 16 - E-mails sent out to all users still running affected versions, asking for upgrades
• 2019 Jan 30 - In-app message from max sent out to all users still running affected versions, asking for upgrades
• 2019 Jan 30 - This announcement, and disclosure on HackerOne