KeePass 2.X Master Password Dumper allows retrieving the KeePass master password

A researcher published a PoC tool to retrieve the master password from KeePass by exploiting the CVE-2023-32784 vulnerability.

Security researcher Vdohney released a PoC tool called KeePass 2.X Master Password Dumper that allows retrieving the master password for KeePass.

The tool exploits the unpatched KeePass vulnerability, tracked CVE-2023-32784, to retrieve the master password from the memory of KeePass 2.x versions.

“In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.” reads the description for this vulnerability. “The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.”

KeePass is a free and open-source software used to securely manage passwords. It functions as a digital “safe” where users can store and organize their sensitive information, including passwords, credit card numbers, notes, and other sensitive information. KeePass encrypts the data using a master key or master password that you need to provide in order to access the stored information.

The vulnerability should be fixed in KeePass 2.54, which is planned to be released at the beginning of June 2023.

The problem stems from the use of a custom-developed text box (‘SecureTextBoxEx’) for password entry in the KeePass 2.X. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes allowing an attacker to use it to recover their contents.

For every character typed, a leftover string is created in memory.

“Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when “Password” is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.” “The POC application searches the dump for these patterns and offers a likely password character for each position in the password.” reads the post published by the Vdohney.

The success of the attack depends on how the password was typed and how many passwords were typed per session. The expert explained that even if there are multiple passwords per session or typos, the way .NET CLR allocates these strings means that they are likely to be nicely ordered in memory. For example, if the user typed three different passwords, the attacker is likely to get three candidates for each character position in that order, allowing to recover all three passwords.

The researchers pointed out that the password can be retrieved only when it has been typed on a keyboard, not copied from a clipboard. 

The initial patch released to address the issue calls Windows API functions for getting/setting the text of the text box directly, in order to avoid the creation of managed strings. 

The good news is that the CVE-2023-32784 vulnerability can only be exploited by a local attacker.

“If you have a reasonable suspicion that someone could obtain access to your computer and conduct forensic analysis, this could be bad. Worst case scenario is that the master password will be recovered, despite KeePass being locked or not running at all.” ” the researcher concludes.

“If you use full disk encryption with a strong password and your system is clean, you should be fine. No one can steal your passwords remotely over the internet with this finding alone.”

Once the KeePass 2.54 will be available install it, then for users that have been using KeePass for a long time, their master password (and potentially other passwords) is likely in the pagefile/swapfile and hibernation file. The expert recommends to:

• Change your master password
• Delete hibernation file
• Delete pagefile/swapfile (can be quite annoying)
• Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
• Restart your computer

Or just overwrite their HDD and do a fresh install of the OS.

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, password)