A researcher has published a proof-of-concept (PoC) tool that exploits an unpatched KeePass vulnerability to retrieve the master password from the program’s memory.
An open source password manager primarily designed for Windows, KeePass can also be used on macOS and Linux, through the open source .NET-compatible framework Mono.
Tracked as CVE-2023-32784, the issue impacts KeePass 2.x versions and allows an attacker to retrieve the cleartext master password from a memory dump. The flaw is exploitable even on workspaces that have been locked or are no longer running.
“The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered,” a NIST advisory reads.
The issue is that the custom-developed textbox that KeePass uses for password entry creates a leftover string in memory for each character typed, security researcher Vdohney explains.
“Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when ‘Password’ is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d,” the researcher notes.
Vdohney’s PoC tool, called KeePass 2.X Master Password Dumper, searches the memory dump for these patterns to retrieve any typed password – because KeePass uses the same textbox in password edit boxes as well, those passwords can be recovered too.
According to the researcher, even if multiple passwords are typed in the same session, these strings should be ordered in memory, meaning that the tool can be used to retrieve all passwords.
“Apart from the first password character, it is mostly able to recover the password in plaintext. No code execution on the target system is required, just a memory dump,” the researcher notes.
While a fix for this vulnerability has been included in the test versions of KeePass 2.54, the official release will become available only in July.
The patch adds a Windows API function call to avoid the creation of managed strings. Additionally, KeePass now creates dummy fragments in memory, which are mixed with the correct fragments.
Even if the official patch is months away, there is no reason to panic, Vdohney says. The vulnerability cannot be exploited remotely, meaning that, unless the computer is already infected with malware, users should not be worried about this flaw’s exploitation.
“If your computer is already infected by malware that’s running in the background with the privileges of your user, this finding doesn’t make your situation much worse,” the researcher notes.
Related: Chrome 113 Security Update Patches Critical Vulnerability
Related: WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch
Related: Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability