Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PoC Tool Exploits Unpatched KeePass Vulnerability to Retrieve Master Passwords

Researcher publishes PoC tool that exploits unpatched KeePass vulnerability to retrieve the master password from memory.

A researcher has published a proof-of-concept (PoC) tool that exploits an unpatched KeePass vulnerability to retrieve the master password from the program’s memory.

An open source password manager primarily designed for Windows, KeePass can also be used on macOS and Linux, through the open source .NET-compatible framework Mono.

Tracked as CVE-2023-32784, the issue impacts KeePass 2.x versions and allows an attacker to retrieve the cleartext master password from a memory dump. The flaw is exploitable even on workspaces that have been locked or are no longer running.

“The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered,” a NIST advisory reads.

The issue is that the custom-developed textbox that KeePass uses for password entry creates a leftover string in memory for each character typed, security researcher Vdohney explains.

“Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when ‘Password’ is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d,” the researcher notes.

Vdohney’s PoC tool, called KeePass 2.X Master Password Dumper, searches the memory dump for these patterns to retrieve any typed password – because KeePass uses the same textbox in password edit boxes as well, those passwords can be recovered too.

According to the researcher, even if multiple passwords are typed in the same session, these strings should be ordered in memory, meaning that the tool can be used to retrieve all passwords.

Advertisement. Scroll to continue reading.

“Apart from the first password character, it is mostly able to recover the password in plaintext. No code execution on the target system is required, just a memory dump,” the researcher notes.

While a fix for this vulnerability has been included in the test versions of KeePass 2.54, the official release will become available only in July.

The patch adds a Windows API function call to avoid the creation of managed strings. Additionally, KeePass now creates dummy fragments in memory, which are mixed with the correct fragments.

Even if the official patch is months away, there is no reason to panic, Vdohney says. The vulnerability cannot be exploited remotely, meaning that, unless the computer is already infected with malware, users should not be worried about this flaw’s exploitation.

“If your computer is already infected by malware that’s running in the background with the privileges of your user, this finding doesn’t make your situation much worse,” the researcher notes.

Related: Chrome 113 Security Update Patches Critical Vulnerability

Related: WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch

Related: Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.