Security Updates
Local Privilege Escalation on Linux via keybase-redirector (KB002)
Publication Date
2018 Dec 18
Externals Links
Description
The Keybase
file system redirector
controls the /keybase
mountpoint on Linux machines (and macOS
machines that have enabled Finder integration). In order to support
multiple users running Keybase on the same machine, both able to
access the Keybase file system through /keybase
paths, this
mountpoint acts as a redirector, using FUSE to present symlinks to
user, redirecting them to their personal Keybase file system
mountpoint (usually located at /run/user/UID/keybase/kbfs
on Linux,
though it varies by OS distribution and local configuration). The
binary that creates this mountpoint is called keybase-redirector
,
and the Keybase package installer sets its suid bit so that it can
have root permissions, which are necessary to create the /keybase
mountpoint and to mount a FUSE file system that can be accessed by
multiple users. It is executable by any user, since users run
Keybase under their own accounts.
The attack was possible due to a previous version of
keybase-redirector
that used the fusermount
binary to create the
/keybase
mountpoint. It did this indirectly through a call to the
Mount()
function in the Go library
bazil.org/fuse (forked for Keybase
here), after obtaining root
privileges. That function used Go's
exec.Command function to
execute a call to fusermount
. However, it did not specify an
absolute path or clear the environment when doing so. Because of
this, malicious software running on the user's computer could make any
executable named fusermount
, set their $PATH
environment variable
to include the directory containing that executable, and call
keybase-redirector
, tricking it into running that executable with
root permissions.
Note that macOS was not vulnerable to this bug, because
keybase-redirector
does not have the suid bit set on that platform.
It is only run by root via the Keybase helper.
This attack was discovered by HackerOne researcher Rich Mirch (mirchr) on 2018 Oct 22. We are deeply thankful to Rich for doing such good research and for sharing his findings in such a timely and responsible manner.
The Fix
The immediate fix was a change to
restrict the PATH used by keybase-redirector.
Later, we further hardened the redirector by
directly using the Mount
syscall instead of a separate binary
when running as root, and
minimizing the time we use root privileges.
The result is that keybase-redirector
no longer executes other
binaries, and only uses root permissions while performing the Mount
syscall. It reverts to user permissions while serving FUSE requests
for users of the /keybase
mountpoint.
We released the initial fix in late October 2018 (2.8.0-20181023124437), and the further-hardened version in November 2018 (2.10.0-20181112152732).
Affected Versions
Keybase versions release on or after March 1, 2018 (commit 06b97bb3), and prior to 2.8.0-20181023124437.
Remediation
Upgrade to 2.8.0-20181023124437 or above. All package repos received an upgraded package shortly after the bug was discovered.
It is also possible to disable the file system redirector if it's not wanted. See the instructions here under "Root redirector".
Timeline
- 2018 Oct 22 — Vulnerability reported to HackerOne
- 2018 Oct 22 — Fix commited to master
- 2018 Oct 23 — New Linux release (2.8.0-20181023124437) pushed out to distribution package repositories for Ubuntu, Red Hat, and Arch
- 2018 Nov 11 — Subsequent release with further hardening ((2.10.0-20181112152732)
- 2018 Dec 3 — E-mails sent out to all users still running affected versions, asking for users to upgrade
- 2018 Dec 4 — In-app warnings sent out to all old applications, asking for users to ugprade
- 2018 Dec 6 — In-app message from max asking for users to upgrade
- 2018 Dec 11 — Affected versions bricked via server switch
- 2018 Dec 18 — This announcement