NET (most major operating systems supported). PoC might have issues with databases created by older versions of KeePass, but I wasn't able to reproduce it (see issue #4).įinding was confirmed by Dominik Reichl, KeePass's author, here. Unfortunately, enabling the Enter master key on secure desktop option doesn't help in preventing the attack. It should work for the macOS version as well. Tested with KeePass 2.53.1 on Windows (English) and KeePass 2.47 on Debian (keepass2 package). It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then. It doesn't matter whether or not the workspace is locked. It doesn't matter where the memory comes from - can be the process dump, swap file ( pagefile.sys), hibernation file ( hiberfil.sys), various crash dumps or RAM dump of the entire system. No code execution on the target system is required, just a memory dump. ![]() Apart from the first password character, it is mostly able to recover the password in plaintext. KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass's memory. ![]() ![]() Rule of thumb is that if it isn't the original KeePass 2.X app written in. Incomplete list of products that are not impacted (please create a pull request or an issue for adding more). Or just overwrite your HDD and do a fresh install of your OS. Overwrite deleted data on the HDD to prevent carving (e.g.Delete pagefile/swapfile (can be quite annoying, don't forget to enable it back again).Delete crash dumps (depends on your OS, on Windows at least C:\Windows\memory.dmp, but maybe there are others). ![]() Depending on your paranoia level, you can consider these steps to resolve the issue: Second, if you've been using KeePass for a long time, your master password (and potentially other passwords) could be in your pagefile/swapfile, hibernation file and crash dump(s). Thanks again to Dominik Reichl for his fast response and creative fix!Ĭlarification: the password has to be typed on a keyboard, not copied from a clipboard (see the How it works sections). The vulnerability was assigned CVE-2023-32784 and fixed in KeePass 2.54. KeePass 2.X Master Password Dumper ( CVE-2023-32784) Update
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |