A proof-of-concept (PoC) tool called “KeePass 2.X Master Password Dumper” would allow to obtain the KeePass master key, making use of the vulnerability tracked as CVE-2023-32784.
Security researcher Vdohney has released a PoC tool called KeePass 2.X Master Password Dumper. This tool exploits the vulnerability tracked as CVE-2023-32784, which allows an attacker to retrieve the master key from KeePass memory in KeePass 2.X versions.
The vulnerability in question (CVE-2023-32784), is a memory dump flaw, which allows the recovery of the master key, in plain text. The memory dump can be a KeePass process dump, a swap file such as pagefile.sys, a hibernate file such as hiberfil.sys or a full system RAM dump.
KeePass is a widely used open-source software for managing mainly passwords. It can be said to be a digital “safe” in which users can store and organize any type of sensitive information they wish to protect, including passwords, credit card numbers, notes, and many more. KeePass works by encrypting the stored data using a master key or password, this master key is required when accessing the stored information.
The vulnerability discovered by Vdhoney is related to how a custom KeyPass box for entering passwords, called “SecureTextBoxEX”, processes user input. Each time a user types a password, string remnants are created (each time a password is tacked, remnants are created, e.g., the word “Password”, which would be typed as follows: -a, –s, —s, —-w, —–o, ——r, ——-d.), which can be used by attackers to reassemble the password, in clear text.
The effectiveness of this attack is related to the way the password was typed and the number of passwords that have been typed per session. However, even when many passwords have been entered in a session typo, the way in which the .NET CLR types these strings means that they are likely to be sorted in memory.
vulnerability patching
A member of the KeePass maintenance staff, Dominik Reichl, commented that he was aware of the KeePass problem and mentioned having implemented two enhancements to the password manager that would address this issue. However, these improvements will not be included until the release of KeePass version 2.54, among other security features.
Although 2.54 was initially expected to be released in the next two months, the release is now scheduled for the beginning of June. However, there is no guarantee of this time frame, provided by Dominik Reichl.
However, it was mentioned that the vulnerability CVE-2023-32784 can only be exploited by a local attacker. According to the researcher, there was no problem, unless you expect to be targeted by some sophisticated threat group, there is no reason to lose your cool. However, it is not necessary for an attacker to be physically at the attack site, and it is no secret that an increasing number of remote attackers routinely gain such access through exploits, phishing attacks, remote access Trojans (RATs), just to mention a few methods.
This would be the second vulnerability discovered in recent months, the first being a vulnerability that would allow an attacker with access to the KeePas XMl configuration file to edit it in such a way that it would return clear text passwords from the password database and then silently export them to a server controlled by the attacker.
This new KeyPass vulnerability leaves the door open with respect to password managers, as it highlights the large number of incidents related to this type of software (password managers) and the importance that could have access to them by threat actors.
suggestions
- Install KeePass version 2.54, once available.
- Change the master password.
- Delete pagefile/swapfile.
- Overwrite the deleted data on the hard disk to prevent carving.
- Restart the computer.
