Local Privilege Escalation on Linux via keybase-redirector (KB002)

Publication Date

2018 Dec 18

Externals Links

• HackerOne Report from michr
• MITRE CVE-2018-18629

Description

The Keybase file system redirector controls the /keybase mountpoint on Linux machines (and macOS machines that have enabled Finder integration). In order to support multiple users running Keybase on the same machine, both able to access the Keybase file system through /keybase paths, this mountpoint acts as a redirector, using FUSE to present symlinks to user, redirecting them to their personal Keybase file system mountpoint (usually located at /run/user/UID/keybase/kbfs on Linux, though it varies by OS distribution and local configuration). The binary that creates this mountpoint is called keybase-redirector, and the Keybase package installer sets its suid bit so that it can have root permissions, which are necessary to create the /keybase mountpoint and to mount a FUSE file system that can be accessed by multiple users. It is executable by any user, since users run Keybase under their own accounts.

The attack was possible due to a previous version of keybase-redirector that used the fusermount binary to create the /keybase mountpoint. It did this indirectly through a call to the Mount() function in the Go library bazil.org/fuse (forked for Keybase here), after obtaining root privileges. That function used Go's exec.Command function to execute a call to fusermount. However, it did not specify an absolute path or clear the environment when doing so. Because of this, malicious software running on the user's computer could make any executable named fusermount, set their $PATH environment variable to include the directory containing that executable, and call keybase-redirector, tricking it into running that executable with root permissions.

Note that macOS was not vulnerable to this bug, because keybase-redirector does not have the suid bit set on that platform. It is only run by root via the Keybase helper.

This attack was discovered by HackerOne researcher Rich Mirch (mirchr) on 2018 Oct 22. We are deeply thankful to Rich for doing such good research and for sharing his findings in such a timely and responsible manner.

The Fix

The immediate fix was a change to restrict the PATH used by keybase-redirector. Later, we further hardened the redirector by directly using the Mount syscall instead of a separate binary when running as root, and minimizing the time we use root privileges. The result is that keybase-redirector no longer executes other binaries, and only uses root permissions while performing the Mount syscall. It reverts to user permissions while serving FUSE requests for users of the /keybase mountpoint.

We released the initial fix in late October 2018 (2.8.0-20181023124437), and the further-hardened version in November 2018 (2.10.0-20181112152732).

Affected Versions

Keybase versions release on or after March 1, 2018 (commit 06b97bb3), and prior to 2.8.0-20181023124437.

Remediation

Upgrade to 2.8.0-20181023124437 or above. All package repos received an upgraded package shortly after the bug was discovered.

It is also possible to disable the file system redirector if it's not wanted. See the instructions here under "Root redirector".

Timeline

• 2018 Oct 22 — Vulnerability reported to HackerOne
• 2018 Oct 22 — Fix commited to master
• 2018 Oct 23 — New Linux release (2.8.0-20181023124437) pushed out to distribution package repositories for Ubuntu, Red Hat, and Arch
• 2018 Nov 11 — Subsequent release with further hardening ((2.10.0-20181112152732)
• 2018 Dec 3 — E-mails sent out to all users still running affected versions, asking for users to upgrade
• 2018 Dec 4 — In-app warnings sent out to all old applications, asking for users to ugprade
• 2018 Dec 6 — In-app message from max asking for users to upgrade
• 2018 Dec 11 — Affected versions bricked via server switch
• 2018 Dec 18 — This announcement