Hacking

KeePass 2.X Master Password Dumper allows retrieving the KeePass master password

A researcher published a PoC tool to retrieve the master password from KeePass by exploiting the CVE-2023-32784 vulnerability.

Security researcher Vdohney released a PoC tool called KeePass 2.X Master Password Dumper that allows retrieving the master password for KeePass.

The tool exploits the unpatched KeePass vulnerability, tracked CVE-2023-32784, to retrieve the master password from the memory of KeePass 2.x versions.

“In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.” reads the description for this vulnerability. “The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.”

KeePass is a free and open-source software used to securely manage passwords. It functions as a digital “safe” where users can store and organize their sensitive information, including passwords, credit card numbers, notes, and other sensitive information. KeePass encrypts the data using a master key or master password that you need to provide in order to access the stored information.

The vulnerability should be fixed in KeePass 2.54, which is planned to be released at the beginning of June 2023.

The problem stems from the use of a custom-developed text box (‘SecureTextBoxEx’) for password entry in the KeePass 2.X. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes allowing an attacker to use it to recover their contents.

For every character typed, a leftover string is created in memory.

“Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when “Password” is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.” “The POC application searches the dump for these patterns and offers a likely password character for each position in the password.” reads the post published by the Vdohney.

The success of the attack depends on how the password was typed and how many passwords were typed per session. The expert explained that even if there are multiple passwords per session or typos, the way .NET CLR allocates these strings means that they are likely to be nicely ordered in memory. For example, if the user typed three different passwords, the attacker is likely to get three candidates for each character position in that order, allowing to recover all three passwords.

The researchers pointed out that the password can be retrieved only when it has been typed on a keyboard, not copied from a clipboard. 

The initial patch released to address the issue calls Windows API functions for getting/setting the text of the text box directly, in order to avoid the creation of managed strings. 

The good news is that the CVE-2023-32784 vulnerability can only be exploited by a local attacker.

“If you have a reasonable suspicion that someone could obtain access to your computer and conduct forensic analysis, this could be bad. Worst case scenario is that the master password will be recovered, despite KeePass being locked or not running at all.” ” the researcher concludes.

“If you use full disk encryption with a strong password and your system is clean, you should be fine. No one can steal your passwords remotely over the internet with this finding alone.”

Once the KeePass 2.54 will be available install it, then for users that have been using KeePass for a long time, their master password (and potentially other passwords) is likely in the pagefile/swapfile and hibernation file. The expert recommends to:

  • Change your master password
  • Delete hibernation file
  • Delete pagefile/swapfile (can be quite annoying)
  • Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
  • Restart your computer

Or just overwrite their HDD and do a fresh install of the OS.

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, password)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DoJ seized credit card marketplace PopeyeTools and charges its administrators

The U.S. seized the stolen credit card marketplace PopeyeTools and charged its operators, this is…

5 hours ago

A cyberattack on gambling giant IGT disrupted portions of its IT systems

A cyberattack on gambling giant IGT disrupted its systems, forcing the company to take certain…

22 hours ago

China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane

China-linked APT Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane in attacks targeting…

1 day ago

Microsoft seized 240 sites used by the ONNX phishing service<gwmw style="display: none; background-color: transparent;"></gwmw>

Microsoft disrupted the ONNX phishing service, seizing 240 sites and naming an Egyptian man as…

1 day ago

U.S. CISA adds Apple, Oracle Agile PLM bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Oracle Agile PLM bugs to its…

2 days ago

More than 2,000 Palo Alto Networks firewalls hacked exploiting recently patched zero-days

Threat actors already hacked thousands of Palo Alto Networks firewalls exploiting recently patched zero-day vulnerabilities.…

2 days ago

This website uses cookies.