141 matches found
Design/Logic Flaw
An issue was discovered in the Keybase command-line client before 2.8.0-20181023124437 for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary...
CVE-2018-18629
An issue was discovered in the Keybase command-line client before 2.8.0-20181023124437 for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary...
CVE-2018-18629
CVE-2018-18629 affects the Keybase command-line client for Linux prior to 2.8.0-20181023124437. A local untrusted search path vulnerability in the keybase-redirector (SUID root) lets a local unprivileged user escalate to root via a Trojan horse binary, by abusing a relative path when calling fuse...
Keybase: Local privilege escalation bug using Keybase redirector on macOS
There's a local privilege escalation bug in the latest version of Keybase for macOS. The issue is in the process of launching keybase-redirector. The process works as follows: 1. Copy keybase-redirector binary to a root-only location 2. Check its signature 3. Launch the binary Code ref. Note the...
CVE-2018-18629
An issue was discovered in the Keybase command-line client before 2.8.0-20181023124437 for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary. Recent assessments: bulw4rk ...
Keybase: Privilege Escalation via Keybase Helper (incomplete security fix)
In the previous report, about the privileged helper lacks of validation so any applications can abuse it to gain root privilege. But the security fix is incomplete. I can describe 3 different ways to bypass possibly 4, I doubt. All the poc are simplified to not sending the actual attack payload,...
KeyBase Botnet 1.5 - SQL Injection
KeyBase Botnet 1.5 - SQL Injection Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on:...
KeyBase Botnet 1.5 SQL Injection
Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on: Windows 10, debian 7 CVE : n/a...
KeyBase Botnet 1.5 - SQL Injection
Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on: Windows 10, debian 7 CVE : n/a...
KeyBase Botnet v1.5 - SQL Injection Vulnerability
Exploit for php platform in category web applications Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Versio...
Keybase: Keybase client: downloaded executables lack "com.apple.quarantine" meta-attribute [macOS]
Summary 1. Missing quarantine attribute for downloaded files allows remote attacker to send executable file that won't be checked by Gatekeeper codesign bypass. 2. Since sent executable files lack com.apple.quarantine meta-attribute, no alert about launching executable file from the web will be...
Keybase: Linux privilege escalation via trusted $PATH in keybase-redirector
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. Environment CentOS Linux...
Keybase keybase-redirector - $PATH Local Privilege Escalation
Keybase keybase-redirector - $PATH Local Privilege Escalation keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executin...
Keybase keybase-redirector - '$PATH' Local Privilege Escalation
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. Environment CentOS Linux...
Keybase: Privilege Escalation via Keybase Helper
A privilege escalation vulnerability exists within the KeybaseHelper application available when installing the Keybase Desktop Application on MacOS. The issue is exposed via a LaunchDaemon plist which is installed within /Library/LaunchDaemons/keybase.Helper.plist. This file is responsible for...
Keybase: Fix bypass of different processing of usernames on Hackernews
Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...
Keybase: Claiming ownership of GitHub handles via forked GitHub gists.
Description An attacker can claim ownership of a GitHub user's handle if the user forks the attacker's gist with a verification snippet generated by the attacker pointing towards the user's handle. PoC With my colleague's permission @jackds I claimed their GitHub handle with this gist:...
Keybase: Keybase extension hostname-validation regular expression issue.
Description The following snippet in js/identities.js allows all hostnames ending in twitter.com, facebook.com, etc. to display the Keybase message window. The issue stems from the fact that you use . instead of \. in your regular expression. js service: "twitter", getUsername: functionloc return...
Keybase: Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user
Hello! When using the Keybase Chrome extension and viewing a Hacker News profile page with an additional id parameter in the query string, Hacker News uses the username from the first id parameter, whereas the Keybase extension uses the username from the second id parameter. Example URL:...
Insecure Cryptography
github.com/keybase/client uses insecure cryptographic measures when hiding URLs. If an attacker knows what the hash of a link is, they will be able to figure out the hidden data...