Overview
KeePass is an open-source password manager, centralizing credential management on the endpoint.
Earlier this year, researcher vdohney discovered a vulnerability in KeePass and built a proof of concept (PoC) for it. In essence, it is able to dump the master key for a KeePass database file, therefore enabling the attacker to gain access to the credential database and potentially laterally move within a target environment.
Vulnerability in a Nutshell
CVE-2023-32784 allows for the recovery of the cleartext master password from memory, whether it be from running process memory, a memory dump, a pagefile.sys file, or a hiberfil.sys file. The vulnerability takes advantage of a KeePass custom-developed text box (SecureTextBoxEx) for master password entry. For every character typed in the box, a residual string is created in memory. An important note is that the first character of the password string cannot be recovered, so it will be up to the attacker to deduce what it may be. This may be easier to achieve if the password is not a random alphanumeric string.
PoC
vdohney was the original researcher and developer of the PoC for this vulnerability, which can be found here. Additional ports in different languages exist. In the upcoming demo, I'll be using a Python variation based off of vdohney's PoC and developed by CMEPW. A Rust variation is available as developed by ynuwenhof.
Demo/Walkthrough
I'll be using a Kali Linux VM and a Windows Server 2019 VM to perform this demo. I'll also be doing a full walkthrough from setting up the environment to exploitation to offer an opportunity for full understanding of the vulnerability from start to finish. If you already have a dump file and want to jump straight to the PoC, click here.
Setup
First, I'll install the vulnerable version of KeePass on the Windows Server 2019 VM:
Select a version older than 2.54 and go through the installation prompts.
Create a database
Click the white square with the spark at the top left of the screen:
From there, click "OK":
Select your save location, and then generate your Master Password:
Name your database and click "OK":
Skip the emergency sheet since this is a demo. Close the program.
Generating Memory Goodies, Dumping Process Memory, and Dump Transfer
Open your database and enter the master key password and click "OK":
From here, spawn Task Manager, right click on the KeePass process, and select "Create dump file" (you may have to expand details prior to seeing that as an option):
Using a file transfer method (here I opt for pscp), transfer the dmp file from the Windows VM to the Kali VM:
Exploit and Profit :)
Clone the git repository to your system, move into the directory, and run the exploit:
Troubleshooting and Reliability
One major thing I noticed while creating this demo and going through the motions of understanding the vulnerability is that it took multiple attempts to get accurate results. The first try, I had only entered the database password once and immediately dumped the process memory. The results were as follows:
I went back to the Windows VM, locked and unlocked the database with the password, and redumped the process memory. This dump gave me closer results but still excluded the numbers at the end of the key:
It wasn't until I went back a third time, locked and unlocked the database a few more times, and dumped the process memory again that I got the closest and most lucrative result:
Referencing vdohney's original writeup, this actually makes sense. vdohney mentions that the reliability of this attack is dependent on how the password was typed and the frequency of times it was typed during the session. This also means the attack will not work if the password was copied from a clipboard.
Alternative Attack Paths for KeePass
In some instances, the opportunity to extract a password from a memory dump may not exist or be reliable. If we have access to the database file (.kdbx) itself, we can use keepass2john to extract the hash of the master key, and then use John the Ripper or Hashcat to crack it.
KeePass2John
For this brief walkthrough I've transferred the kdbx file from my Windows VM to my Kali VM:
From here, we can extract the hash of the master key/password by using KeePass2John:
Now, we can pass that hash file to john for cracking:
Depending on the complexity of the password, cracking time may vary, if it's even able to crack it.
Comments