Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:FBBD7A87-937D-413F-90F6-2500B6C2F582
HistoryDec 20, 2018 - 12:00 a.m.

CVE-2018-18629

2018-12-2000:00:00
attackerkb.com
4

0.002 Low

EPSS

Percentile

55.8%

JSON

An issue was discovered in the Keybase command-line client before 2.8.0-20181023124437 for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary.

Recent assessments:

bulw4rk at March 26, 2020 6:56pm UTC reported:

Description

The installation of a vulnerable version of Keybase deploys a SUID binary named “keybase-redirector” which calls the “fusermount” binary using a relative path, making the application trust the value of $PATH. This triggers a PATH injection vulnerability which allows local privilege escalation by using a malicious file with its name set to “fusermount”.

Mitigation

The maintainer has released some fixes, so the software must be upgrade to Keybase version 2.8.0-20181023124437 or above.

Affected Systems

All Keybase versions prior to 2.8.0-20181023124437.

PoC

1- We can identify a potential vulnerable installation with the following command, which will help us identify the SUID binary related to Keybase.

find / -perm 4000 2>/dev/null | grep keybase

2- To verify the vulnerability, we check the output of the following command is prior to 2.8.0-20181023124437.

keybase -v

3- In case the the software version is vulnerable, we may create a malicious binary (which executes, for example, a rshell, creates a high privilege user, etc.) with the name fusermount and deploy it on a directory to be injected on the PATH.

NOTE: Development and compilation of the binary left for the tester

4- We add the directory in the first position inside the path variable and execute the Keybase software.

env PATH=<malicious_dir_path>:$PATH /usr/bin/keybase-redirector /keybase

This will execute the payload inside the malicious binary as root.

Personal Notes
In some engagements, I have seen this software installed on workstation or servers from DevOps/SecDevOps teams, where they manage access keys and credentials for critical corporate infrastructure. Because of this, a Keybase vulnerable installation should not be taken lightly.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4

Related

cvelist 1
prion 1
cve 1
zdt 1
nvd 1
cvelist
cvelist
CVE-2018-18629
2018-12-20 22:00:00
prion
prion
Design/Logic Flaw
2018-12-20 23:29:00
cve
cve
CVE-2018-18629
2018-12-20 23:29:00
zdt
zdt
Keybase keybase-redirector - ($PATH) Local Privilege Escalation Exploit
2018-12-24 00:00:00
nvd
nvd
CVE-2018-18629
2018-12-20 23:29:00

0.002 Low

EPSS

Percentile

55.8%

JSON
Related for AKB:FBBD7A87-937D-413F-90F6-2500B6C2F582
cvelist1prion1cve1zdt1nvd1