KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

Password Security / Exploit

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under specific circumstances.

The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month.

“Apart from the first password character, it is mostly able to recover the password in plaintext,” security researcher “vdhoney,” who discovered the flaw and devised a PoC, said. “No code execution on the target system is required, just a memory dump.”

“It doesn’t matter where the memory comes from,” the researcher added, stating, “it doesn’t matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it’s been since then.”

It’s worth noting that successful exploitation of the flaw banks on the condition that an attacker has already compromised a potential target’s computer. It also requires that the password is typed on a keyboard, and not copied from a clipboard.

vdhoney said the vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory.

This leads to a scenario whereby an attacker could dump the program’s memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The disclosure comes a few months after another medium-severity flaw (CVE-2023-24055) was uncovered in the open source password manager that could be potentially exploited to retrieve cleartext passwords from the password database by leveraging write access to the software’s XML configuration file.

KeePass has maintained that the “password database is not intended to be secure against an attacker who has that level of access to the local PC.”

It also follows findings from Google security research that detailed a flaw in password managers such as Bitwarden, Dashlane, and Safari, which can be abused to auto-fill saved credentials into untrusted web pages, leading to possible account takeovers.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.