A security researcher who goes by the online name “vdohney” has published a Proof of Concept (PoC) of an exploit which is capable of recovering the master password used to secure a KeePass database.
Users of any type of password manager will know that the master password is one which must be protected at all costs as compromise of this data will allow an attacker to unlock the database and access all stored passwords for all services.
The new vulnerability is being tracked as CVE-2023-32784 and states that the vulnerability is effective against KeePass version 2.X and can only be exploited by those who enter the master password via a keyboard and is not viable if the master password is copied from the users clipboard.
How It Works
KeePass 2.X uses a custom-developed text box for password entry called SecureTextBoxEx. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents).
The flaw exploited here is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created.
For example, when the word “Password” is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The POC application searches the dump for these patterns and offers a likely password character for each position in the password.
No code execution on the target system is required, just a memory dump. It doesn’t matter where the memory comes from – can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system. It doesn’t matter whether or not the workspace is locked.
Whilst the PoC is based on a Windows machine, vdohney states that the exploit should work on Linux and Mac OS as well because its not a flaw in the OS, rather a flaw in how the application handles data input.
Fix is imminent
The developer of KeePass, Dominik Reichl, received the bug report from vdohney and promised to roll out a fix for CVE-2023-32784 on version 2.54, expected sometime early June.