Local Privilege Escalation in MacOS via Keybase Helper (KB004)
2018 Jan 30
- HackerOne Report: macOS privilege escalation via keybase install
- HackerOne Report: Privilege Escalation via Keybase Helper (incomplete security fix)
- HackerOne Report: Local privilege escalation bug using Keybase redirector on macOS
- HackerOne Report: Privilege Escalation through Keybase Installer via Helper
After our previous security disclosure, the Keybase update/installer system has attracted additional scrutiny from security researchers. We collected reports from five researchers who found further bugs in the Keybase Helper process and Keybase Installer process, both of which are used to keep Keybase up-to-date without user intervention.
There were three bugs found in these reports: (1) there was a race condition
in code that checked that the Helper was talking to an authortized Installer,
primarily due to the fact that Apple does not publish the secure APIs for so doing; (2)
there was a time-to-check-time-to-use (TOCTOU) bug in placing the
redirector process into its run location, that would allow an attacker to fool the installer into
putting a symbolic link into a secure location, that could then be replaced; and
move RPC to the Helper was susceptible to TOCTOU bugs and
would also allow one users of the system (who didn't have root access) to tamper with another's installs.
Malicious software (outside of Keybase) running on the local computer could have used such a bug to escalate privileges.
We thank the following HackerOne researchers for their excellent research, and their responsible and timely reporting:
These reports prompted us to rearchitect our Helper, to signifcantly reduce the width of its API. In particular, the move RPC has been retired, and the install of the new application is done outside of the privileged Helper, without escalated privileges. Also, we're now careful to check file types when moving files to privileged locations to avoid symlink-based-attacks.
Keybase versions release prior to 2.12.6, released on January 1, 2018.
Upgrade to v2.13 or above. Almost all users received a patched version via automatic upgrades shortly after the bug was discovered.
- 2018 Dec 19 through 29 — Vulnerabilities reported via HackerOne
- 2018 Dec 28 - Partial fix released in 2.12.4-20181228150844+7724569b6d
- 2019 Jan 01 - Complete fix released in 2.12.6-20190103194556+07470de987
- 2019 Jan 15 - Subsequent minor release in 2.13.0
- 2019 Jan 16 - E-mails sent out to all users still running affected versions, asking for upgrades
- 2019 Jan 30 - In-app message from max sent out to all users still running affected versions, asking for upgrades
- 2019 Jan 30 - This announcement, and disclosure on HackerOne