Moderate
CVE-2018-18629
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(1 user assessed)High
(1 user assessed)Unknown
Unknown
Unknown
CVE-2018-18629
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An issue was discovered in the Keybase command-line client before 2.8.0-20181023124437 for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
Description
The installation of a vulnerable version of Keybase deploys a SUID binary named “keybase-redirector” which calls the “fusermount” binary using a relative path, making the application trust the value of $PATH. This triggers a PATH injection vulnerability which allows local privilege escalation by using a malicious file with its name set to “fusermount”.
Mitigation
The maintainer has released some fixes, so the software must be upgrade to Keybase version 2.8.0-20181023124437 or above.
Affected Systems
All Keybase versions prior to 2.8.0-20181023124437.
PoC
1- We can identify a potential vulnerable installation with the following command, which will help us identify the SUID binary related to Keybase.
find / -perm 4000 2>/dev/null | grep keybase
2- To verify the vulnerability, we check the output of the following command is prior to 2.8.0-20181023124437.
keybase -v
3- In case the the software version is vulnerable, we may create a malicious binary (which executes, for example, a rshell, creates a high privilege user, etc.) with the name fusermount and deploy it on a directory to be injected on the PATH.
NOTE: Development and compilation of the binary left for the tester
4- We add the directory in the first position inside the path variable and execute the Keybase software.
env PATH=<malicious_dir_path>:$PATH /usr/bin/keybase-redirector /keybase
This will execute the payload inside the malicious binary as root.
Personal Notes
In some engagements, I have seen this software installed on workstation or servers from DevOps/SecDevOps teams, where they manage access keys and credentials for critical corporate infrastructure. Because of this, a Keybase vulnerable installation should not be taken lightly.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- keybase
Products
- keybase
References
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: