KeePass exploit helps retrieve cleartext master password, fix coming soon
The popular KeePass password manager is vulnerable to extracting the master password from the application’s memory, allowing attackers who compromise a device to retrieve the password even with the database is locked.
The issue was discovered by a security researcher known as ‘vdohney,’ who published a proof-of-concept tool allowing attackers to extract the KeePass master password from memory as a proof-of-concept (PoC).
Password managers allow users to create unique passwords for every online account and store the credentials in an easy-to-search database, or password vault, so you do not have to remember each one. However, to properly secure this password vault, users must remember the one master password used to unlock it and access stored credentials.
This master password encrypts the KeePass password database, preventing it from being opened or read without first entering the password. However, once that master password is compromised, a threat actor can access all the credentials stored in the database.
Therefore, for a password manager to be properly secured, it is critical that users guard the master password and not share it with anyone else.
A new KeePass vulnerability tracked as CVE-2023-3278 makes it possible to recover the KeePass master password, apart from the first one or two characters, in cleartext form, regardless of whether the KeePass workspace is locked, or possibly, even if the program is closed.
“KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass’s memory. Apart from the first password character, it is mostly able to recover the password in plaintext,” warns the security researcher on the GitHub page for the exploit tool.
“No code execution on the target system is required, just a memory dump. It doesn’t matter where the memory comes from – can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system. It doesn’t matter whether or not the workspace is locked.”
The flaw exists because the software uses a custom password entry box named “SecureTextBoxEx,” which leaves traces of each character the user types in the memory.
“KeePass 2.X uses a custom-developed text box for password entry, SecureTextBoxEx. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents),” explains vdohney.
The vulnerability impacts the latest version of KeePass, 2.53.1, and as the program is open-source, any project forks are likely affected.
KeePass 1.X, KeePassXC, and Strongbox do not appear to be impacted by CVE-2023-32784, according to the developer of the password dumping tool.
Also, while the PoC was tested on Windows, the exploit should also work for Linux and macOS, with some modifications, as the problem isn’t specific to the OS but how KeePass handles user input.
Easy to exploit
Since memory dumps must be retrieved for the KeePass master password to be recovered, the exploitation of CVE-2023-32784 requires physical access or malware infection on the target machine.
However, information-stealing malware could quickly check if KeePass exists on a computer or is running, and if so, dump the program’s memory and send it and the KeePass database back to the attacker for offline retrieval of the cleartext password from the memory dump.
BleepingComputer tested vdohney’s ‘keepass-password-dumper’ tool by installing KeePass on a test device and creating a new database with the master password ‘password123,’ as shown below.
We then locked our KeePass workspace, which prevents access to it unless you enter the master password again.
In our tests, you can use Process Explorer to dump the memory of the KeePass project, but it requires a full memory dump, and not a minidump, to work correctly. No elevated privileges are needed to dump the processes’ memory.
After compiling vdohney’s tool using Visual Studio, we executed it against our memory dump, and it quickly recovered most of our cleartext password, with just the first two letters missing.
While this is not the complete password, determining what characters are missing would be fairly easy.
The researcher also warns that master passwords used in the past can remain in memory, so they can be retrieved even if KeePass is no longer running on the breached computer.
Fix coming soon
The developer of KeePass, Dominik Reichl, received the bug report and promised to roll out a fix for CVE-2023-32784 on version 2.54, expected sometime in July 2023.
However, Reichl told BleepingComputer that KeePass version 2.54 is more likely to be released to users in about two weeks, so it should be out by early June.
Based on a discussion where Reichl developed his thoughts on the security flaw and the potential mitigation strategies, two security enhancements are mentioned for the upcoming KeePass version:
- Perform direct API calls for getting/setting the text of the text box, avoiding the creation of managed strings in memory that can leak secrets.
- Create dummy fragments containing random characters in the process memory that will have approximately the same length as the user’s master password, obfuscating the real key.
KeePass 2.54 for Windows will have both, while macOS and Linux versions will only get the second enhancement.
The developer has released a test version with the new security enhancements that mitigate the issue, so those who can accept unstable behavior can source it from here.
The creator of the PoC has confirmed that he can no longer reproduce the attack with the two security enhancements in place, so the fix appears to be effective.
Even after the new version is released, the master password may still be stored in memory files. The researcher warns that to be 100% safe that it is not lurking on the system, you would need to delete your system’s swap and hibernation files, format your hard drive using the “overwrite data” mode to prevent data recovery, and do a fresh OS install.
For most, though, restarting the computer, clearing your swap file and hibernation files, and not using KeePass until the new version is released are reasonable safety measures for the time being.
Even then, for the best protection, be super vigilant about not downloading programs from untrusted sites and beware of phishing attacks that may infect your devices, giving threat actors remote access to your device and your KeePass database.