KeePass Users at Risk: PoC Tool Exploits Unpatched Vulnerability to Retrieve Master Passwords

Proof of Concept Tool Exploits Unpatched KeePass Vulnerability

A security researcher has recently published a proof-of-concept (PoC) tool that extracts the master passreplace from the memory of the passreplace manager KeePass. KeePass is an open-source passreplace manager for Windows, with ports available for macOS and Linux, designed to help users manage their passreplaces. However, the PoC tool takes advantage of an unpatched vulnerability present in KeePass 2.x versions, which can allow attackers to retrieve the clear text master passreplace from memory, even after workspaces are locked or closed, giving them undetected access to any passreplace saved by the user. The flaw, tracked as CVE-2023-32784, is related to a custom-developed textbox that the passreplace program uses for passreplace entry, creating a leftover string in memory every time the user types a character.

Technical Details of the Tool

The PoC tool, developed by security researcher Vdohney is called “KeePass 2.X Master Passreplace Dumper” and searches memory dumps for leftover strings of code. Because KeePass uses the same textbox in passreplace edit boxes, the tool can retrieve passreplaces for any recorded username and passreplace since the leftover strings are arranged based on the order in which they were typed. While the first passreplace character cannot be recovered, the tool can recover mostly the entire passreplace in plaintext. A Microsoft security patch to address the issue has been projected for July

Security Implications

At present, the vulnerability cannot be exploited remotely, meaning an attacker needs to gain access to the victim’s system to retrieve the dump file from system memory. The attacker will have to be in possession of the system to obtain a memory dump, such as a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system, which may make it less likely for the vulnerability to be leveraged for attacks. However, if the system is already infected with malware, the vulnerability could be significantly more harmful because the malware could initiate access to the memory dump and access all passreplaces previously saved in KeePass.

Ethical and Philosophical Implications

The vulnerability in KeePass demonstrates that passreplace manager applications, considered as the most secure ways of managing passreplaces, are not entirely safe and carry their own security risks. The issue with third-party passreplace manager applications is a common concern within the information security community, with many professionals advocating for the use of built-in passreplace managers available on different operating systems. However, even with these reservations, specialized passreplace managers offer some advantages, such as enhanced security features, more robust encryption protocols, and backup tools. The KeePass vulnerability also highlights the importance of responsible disclosure and ethical behavior within cybersecurity communities. This specific researcher responsibly disclosed the vulnerability to KeePass before publishing the PoC tool on GitHub. Ethical and responsible disclosure allows developers ample time to develop and test patches and notify their clients about the vulnerability before allowing the wider public access to the vulnerability, reducing the potential harm that may arise from malicious actors taking advantage of the vulnerability.

Editorial and Advice

Users of KeePass versions 2.x should continue to use the application while holding out for an official patch from the vendor. In the meantime, users should ensure that all other security software is in place to prevent malware from infiltrating their systems and initiating access to the contents of their passreplace databases. Users are also advised to use strong passreplaces and avoid duplicating usernames and passreplaces across multiple accounts, as a precaution. In general, the best practice for handling passreplaces is to change them regularly, avoid sharing them with third parties, and use multifactor authentication wherever possible. While built-in passreplace managers are more secure, users should be aware that not all include important features such as storage of payment details that third-party passreplace managers provide, which may help them decide if they prefer to continue using their third-party program after the official patch for KeePass has been released.