KeePass Exploit Enables Attackers to Recuperate Master Passwords from Memory

By Ngoma Manuel Computer & Electronics, Cybernetics, Tech Hacker, Password Security Comments Off

A proof-of-concept (PoC) has been provided for a security flaw affecting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under certain situations.

The problem, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS and is presumed to be patched in version 2.54, which is likely to be launched very early next month.

According to a security researcher, “vdhoney,” apart from the first password character, it is mainly possible to recuperate the password in plaintext. No code execution on the target system is required, just a memory dump.

vdhoney adds that, regardless of the memory’s origin or if the workspace is secured, it is possible to dump the password from RAM after KeePass is no longer running. However, the possibility of that functioning goes down with time it has been ever since.

Bypassing KeePass

Successful exploitation of the problem relies on the condition that an attacker has jeopardized a potential target’s computer. It also requires that the password is typed on a keyboard and not copied from a clipboard.

vdhoney said the vulnerability concerns how a custom text box field used for entering the master password manages user input. Specifically, it has been found to leave traces of every character the user enters the program memory.

This results in a scenario wherein an attacker can dispose of the program’s memory and reconstruct the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

The disclosure comes a few months after a different medium-severity flaw (CVE-2023-24055) was revealed in the open-source password manager that could be exploited to get cleartext passwords from the password database by taking advantage of write access to the software’s XML file.

KeePass has insisted that the password database is not meant to be secure against an attacker with that level of local computer access.

It also follows discoveries from Google security research that outlined a flaw in password managers such as Bitwarden, Dashlane, and Safari, which can be abused to auto-fill saved credentials into untrusted web pages, causing possible account takeovers.

Originally published on The Hacker News.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

KeePass Exploit Enables Attackers to Recuperate Master Passwords from Memory

KeePass Exploit Enables Attackers to Recuperate Master Passwords from Memory

Bypassing KeePass

Share this post

Author

Related Posts