KeePass Exploit Enables Attackers to Recuperate Master Passwords from Memory
A proof-of-concept (PoC) has been provided for a security flaw affecting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under certain situations.
The problem, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS and is presumed to be patched in version 2.54, which is likely to be launched very early next month.
According to a security researcher, “vdhoney,” apart from the first password character, it is mainly possible to recuperate the password in plaintext. No code execution on the target system is required, just a memory dump.
vdhoney adds that, regardless of the memory’s origin or if the workspace is secured, it is possible to dump the password from RAM after KeePass is no longer running. However, the possibility of that functioning goes down with time it has been ever since.
Bypassing KeePass
Successful exploitation of the problem relies on the condition that an attacker has jeopardized a potential target’s computer. It also requires that the password is typed on a keyboard and not copied from a clipboard.
vdhoney said the vulnerability concerns how a custom text box field used for entering the master password manages user input. Specifically, it has been found to leave traces of every character the user enters the program memory.
This results in a scenario wherein an attacker can dispose of the program’s memory and reconstruct the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.
The disclosure comes a few months after a different medium-severity flaw (CVE-2023-24055) was revealed in the open-source password manager that could be exploited to get cleartext passwords from the password database by taking advantage of write access to the software’s XML file.
KeePass has insisted that the password database is not meant to be secure against an attacker with that level of local computer access.
It also follows discoveries from Google security research that outlined a flaw in password managers such as Bitwarden, Dashlane, and Safari, which can be abused to auto-fill saved credentials into untrusted web pages, causing possible account takeovers.
Originally published on The Hacker News.
Read more: ChatGPT and The Dark Web, Yet, A Hushed Talk in The Tech World.