Connect with us

Hi, what are you looking for?



PoC Tool Exploits Unpatched KeePass Vulnerability to Retrieve Master Passwords

Researcher publishes PoC tool that exploits unpatched KeePass vulnerability to retrieve the master password from memory.

A researcher has published a proof-of-concept (PoC) tool that exploits an unpatched KeePass vulnerability to retrieve the master password from the program’s memory.

An open source password manager primarily designed for Windows, KeePass can also be used on macOS and Linux, through the open source .NET-compatible framework Mono.

Tracked as CVE-2023-32784, the issue impacts KeePass 2.x versions and allows an attacker to retrieve the cleartext master password from a memory dump. The flaw is exploitable even on workspaces that have been locked or are no longer running.

“The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered,” a NIST advisory reads.

The issue is that the custom-developed textbox that KeePass uses for password entry creates a leftover string in memory for each character typed, security researcher Vdohney explains.

“Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when ‘Password’ is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d,” the researcher notes.

Vdohney’s PoC tool, called KeePass 2.X Master Password Dumper, searches the memory dump for these patterns to retrieve any typed password – because KeePass uses the same textbox in password edit boxes as well, those passwords can be recovered too.

Advertisement. Scroll to continue reading.

According to the researcher, even if multiple passwords are typed in the same session, these strings should be ordered in memory, meaning that the tool can be used to retrieve all passwords.

“Apart from the first password character, it is mostly able to recover the password in plaintext. No code execution on the target system is required, just a memory dump,” the researcher notes.

While a fix for this vulnerability has been included in the test versions of KeePass 2.54, the official release will become available only in July.

The patch adds a Windows API function call to avoid the creation of managed strings. Additionally, KeePass now creates dummy fragments in memory, which are mixed with the correct fragments.

Even if the official patch is months away, there is no reason to panic, Vdohney says. The vulnerability cannot be exploited remotely, meaning that, unless the computer is already infected with malware, users should not be worried about this flaw’s exploitation.

“If your computer is already infected by malware that’s running in the background with the privileges of your user, this finding doesn’t make your situation much worse,” the researcher notes.

Related: Chrome 113 Security Update Patches Critical Vulnerability

Related: WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch

Related: Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.