Pierluigi Paganini November 03, 2015

KeeFarce is a recently released hacking tool that swipes encrypted credentials from the KeePass password manager through the DLL injection.

A password manager is considered one of the most secure tools to archive strong passwords in a computer. Unfortunately, the presence of a malware on the PC can expose passwords even if they are stored with a password manager.

A hacking tool recently released subbed KeeFarce is able to silently decrypts all usernames, passwords, and notes stored by the popular KeePass password manager and transcribes them information into a file.

“Indeed, if the operating system is owned, then it’s game over,” explained to Ars, Denis Andzakovic researcher at Security Assessment and the creator of KeeFarce.

Hackers can execute the KeeFarce tool on a computer where a logged in user has unlocked the KeePass database, under this condition, KeeFarce is able to decrypt the entire password archive.

“The point of KeeFarce is to actually obtain the contents of the password database. Say a penetration tester has achieved domain admin access to a network but also wants to obtain access to networking hardware, non-domain infrastructure, etcetera. The tester can compromise a sysadmin’s machine and use the tool to swipe the password details from the KeePass instance the sysadmin has open.” added Andzakovic.

KeeFarce is able to bypass the process memory protection implemented by the KeePass password manager, it extracts the passwords from the database by injecting a dynamic link library code. The injected DLL is able to invoke an existing function in KeePass that exports the contents of a currently open database to an external file in CSV format. The extracted data is in clear text and includes user names, passwords, notes, and URLs.

The DLL injection is a common process to allow programs to interoperate, but it could be abused to insert malicious code in the context of a running application.

KeeFarce works against KeePass 2.28, 2.29 and 2.30 running on Windows 8.1 (32 and 64 bit), it should also work on older Windows machines.

Tools like KeeFarce reminds us that password managers could represent a single point of failure that could be exploited with severe repercussion by hackers.

Similar tools could be used to hack also other commercial password managers.

Pierluigi Paganini

(Security Affairs – KeeFarce, Password Manager)