This vulnerability is used to recover the cleartext master password from a memory dump. This can be achieved regardless of whether the KeePass workspace is locked or if the program is completely closed. It is important to note that the successful exploitation of the vulnerability requires an attacker to have already compromised a potential target’s computer. It also requires that the password is typed on a keyboard and not copied from the device’s clipboard.
This means that the usage of a keyfile or hardware key is not impacted.
KeePass is an open-source password manager intended to empower users to generate distinct passwords for all their accounts and securely store them in a local database called a password vault. To safeguard the security of this vault, users are required to recall a single master password, which grants them access to unlock it and retrieve the stored credentials.
Affected Versions and Applications
Impacted is version 2.x of the KeePass password manager. The vulnerability is exploitable on Windows, Linux, macOS and even mobile systems.
Resources that aren’t impacted:
- KeePass 1.x
There is even a Proof-of-Concept (PoC) to exploit this vulnerability. This PoC utilizes a tool called “KeePass Master Password Dumper.” It is not possible to remotely extract the password just by exploiting this vulnerability. If you wish to use the PoC tool, you will need the process dump, hibernation file, RAM dump, or swap file of the entire system.
The vulnerability exploited in this scenario allows an attacker to recover the master password in plaintext, except for the first character. KeePass 2.X uses a custom-developed text box called SecureTextBoxEx for password input, which is the root cause of this vulnerability.
The flaw being exploited stems from the creation of leftover strings in memory for each character typed, except the first one. The attacker can iterate through all possibilities for the unknown first character to obtain the full password. Due to how .NET operates, it is extremely difficult to completely remove these leftover strings once they are generated. For example, if the word “Password” is typed, the leftover strings created would be: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The Proof of Concept (PoC) application searches for these patterns in memory dumps and provides a potential password character for each position in the password.
The reliability of this attack can be influenced by factors such as the typing method used for the password and the number of passwords entered per session. However, it has been discovered that even if multiple passwords are entered in a session or there are typographical errors, the way .NET CLR allocates these strings results in a highly ordered arrangement in memory. Thus, if three different passwords were entered, it is possible to obtain three candidates for each character position in the order they were entered, making it feasible to recover all three passwords.
First, update KeePass to version 2.54, KeePass version 2.54 has been released since the beginning of June 2023.
Second, if you have been using KeePass for a long time, your master password could potentially be stored in a crash dump file, hibernation file, or pagefile/swapfile. To resolve this issue, you have two options. You can overwrite your HDD and install a clean operating system. Alternatively, you can follow the steps found in this repository https://github.com/vdohney/keepass-password-dumper :
- Update your master password.
- Remove crash dumps.
- Delete the hibernation file.
- Delete the pagefile/swapfile.
- Overwrite deleted data on the HDD to prevent carving. For example, use a tool like Cipher with the /w option on Windows.
Complete all these steps regularly.
Lastly, if you have a clean machine and employ full disk encryption with a strong password, the system should be safe.
Apply these mitigations to reduce the impact of this threat.