KeePass Password Safe vulnerability enables master password theft
Take action: When programming secure mechanisms, consider whether the underlying development framework has artifacts that will expose your secure information through a different channel (like keeping strings in memory). From a practical perspective, be very mindful of phishing and external programs until you patch your KeePass Password Safe.
Learn More
A vulnerability in the KeePass password manager has been discovered, allowing attackers to obtain the plaintext master password from a locked user workspace. Known as CVE-2023-32784, this vulnerability specifically affects KeePass Password Safe, allowing attackers to extract the master password from the software's memory. Even when the workspace is locked or the application is not active, this flaw compromises the primary key necessary to unlock the user's password database.
The vulnerability exists in versions prior to 2.54 of KeePass 2.x, enabling malicious actors to recover the clear text master password from various memory sources. This vulnerability poses a significant risk as it could grant unauthorized access to all logins stored within the password manager, and the exploit works regardless of whether KeePass is running or the system is locked.
The developers of KeePass plans to fix this vulnerability in the upcoming release of KeePass version 2.54 in July.
There is aa publicly available proof-of-concept exploitation tool named "KeePass 2.X Master Password Dumper". The vulnerability does not allow remote extraction of the password, but once a program with functions of the PoC dumper is ran on the local computer, the master password is exposed. This exploit can work even if KeePass is locked or inactive.
The simplicity of the exploit and existence of PoC means that any attack group will try to use social engineering to persuade a target to run a Password Dumper on their computer, and extract the master password.
The KeePassXC fork of the KeePass program is not vulnerable since it doesn't use the same mechanism for entering the master password.
Why does the exploit work:
KeePass 2.X uses a custom-developed text box for password entry, SecureTextBoxEx. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents).
The flaw exploited here is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The POC application searches the dump for these patterns and offers a likely password character for each position in the password.
