![]() ![]() For example, when "Password" is typed, it will result in these leftover strings: NET works, it is nearly impossible to get rid of it once it gets created. ![]() The flaw exploited here is that for every character typed, a leftover string is created in memory. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents). KeePass 2.X uses a custom-developed text box for password entry, SecureTextBo圎x. No one can steal your passwords remotely over the internet with this finding alone. If you use full disk encryption with a strong password and your system is clean, you should be fine. Worst case scenario is that the master password will be recovered, despite KeePass being locked or not running at all. If you have a reasonable suspicion that someone could obtain access to your computer and conduct forensic analysis, this could be bad. However, it might be easier for the malware to be stealthy and evade the antivirus, since unlike KeeTheft or KeeFarce, no process injection or other type of code execution is necessary. If your computer is already infected by malware that's running in the background with the privileges of your user, this finding doesn't make your situation much worse. ![]() Alternatively you can add another parameter dotnet run PATH_TO_DUMP PATH_TO_PWDLIST to generate a list of all possible passwords beginning from the second character.ĭepends on your threat model.The easiest way to test this on Windows is to create a process dump in the task manager by right-clicking the KeePass process and selecting "Create dump file". Enter the project directory in your terminal (Powershell on Windows) cd keepass-password-dumper.Clone the repository: git clone or download it from GitHub.NET (most major operating systems supported). PoC might have issues with databases created by older versions of KeePass, but I wasn't able to reproduce it (see issue #4).įinding was confirmed by Dominik Reichl, KeePass's author, here. Unfortunately, enabling the Enter master key on secure desktop option doesn't help in preventing the attack. It should work for the macOS version as well. Tested with KeePass 2.53.1 on Windows (English) and KeePass 2.47 on Debian (keepass2 package). It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then. It doesn't matter whether or not the workspace is locked. It doesn't matter where the memory comes from - can be the process dump, swap file ( pagefile.sys), hibernation file ( hiberfil.sys), various crash dumps or RAM dump of the entire system. No code execution on the target system is required, just a memory dump. Apart from the first password character, it is mostly able to recover the password in plaintext. KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass's memory. Rule of thumb is that if it isn't the original KeePass 2.X app written in. Incomplete list of products that are not impacted (please create a pull request or an issue for adding more). Or just overwrite your HDD and do a fresh install of your OS. Overwrite deleted data on the HDD to prevent carving (e.g.Delete pagefile/swapfile (can be quite annoying, don't forget to enable it back again).Delete crash dumps (depends on your OS, on Windows at least C:\Windows\memory.dmp, but maybe there are others).Depending on your paranoia level, you can consider these steps to resolve the issue: Second, if you've been using KeePass for a long time, your master password (and potentially other passwords) could be in your pagefile/swapfile, hibernation file and crash dump(s). Thanks again to Dominik Reichl for his fast response and creative fix!Ĭlarification: the password has to be typed on a keyboard, not copied from a clipboard (see the How it works sections). The vulnerability was assigned CVE-2023-32784 and fixed in KeePass 2.54. KeePass 2.X Master Password Dumper ( CVE-2023-32784) Update ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |