KeePass Memory Leakage Vulnerability Analysis — CVE-2023–32784
Introduction
KeePass is an open-source password management software. It is designed to help users store and manage their passwords and sensitive information for secure access to various online services and applications.
KeePass provides a secure database where usernames, passwords, website links, additional instructions, and other custom fields can be stored. This information is protected by encryption and requires a master password or key file to unlock and access.
Vulnerability Information
KeePass has released version 2.54, fixing the CVE-2023–32784 vulnerability that allows the extraction of the cleartext master password from the application’s memory.
When creating a new KeePass password manager database, users must create a master password, which is used to encrypt the database. When opening the database in the future, users must enter this master key to decrypt it and access the credentials stored within it.
Vulnerability Impact
This vulnerability exists in KeePass2.x versions prior to 2.54. The reason is that when the content of the KeePass text box is entered, a managed string is created in its process memory. If its memory is dumped, it will lead to the leakage of the master password.
Vulnerability Analysis
The author chose the KeePass2.53.1 version for vulnerability analysis and verification.
Start by entering your 14-character master password.
The code that creates the vulnerability is in the KeePass/UI/SecureTextBoxEx.cs file. First, during the input process, when .NET CLR executes the code, a managed string will be generated. The entered characters will be stored in the memory in plain text, and the character entered before the character will be used as a placeholder in chPasswordChar.
According to the definition of PasswordCharEx, the placeholder for 64-bit machines is xCFx25.
After entering the password, take a memory dump of the process. The author used Windows Task Manager to create a process dump file.
Then open the DMP file using a binary editor. Search for placeholder xCFx25 based on known information. As shown in the figure below, it is found that a placeholder appears first, followed by the plaintext character E.
Continuing the search, it was found that two placeholders appeared at this time, followed by the plaintext character S.
Search slowly according to the above search method and find that the placeholders have increased from 1 to 13. There is a plain text after each string of placeholders. As shown in the figure below, there are 13 placeholders, and the last plain text is G.
Using automated analysis tools to discover its placeholder + plaintext binary data results in {UNKNOWN}EST<{_, B}><{B, Y}>Y_INSBUG. It gives 4 possible results, and the result EST_BY_INSBUG is the last 13 characters of the 14-digit password entered by the author.
To sum up, enter a string of passwords in the text box for setting the master password. Except for the first character of the password, which cannot be obtained from the memory, every other character is stored in the memory as a managed string of placeholders + plain text characters. form storage. If you enter 123, the specific form of the managed string that can be obtained in the memory is as follows:
- xCFx25x32
- xCFx25xCFx25x33
Under the Mono platform (which allows .NET applications to run under Linux and macOS), KeePass2.x can also run, and this problem also exists, so the root problem may be related to the .NET CLR.
Vulnerability Fix
The KeePass developers’ solution to fix the source code is as follows:
- When running on Windows, KeePass now calls Windows API functions to directly get/set the text of the text box to avoid creating managed strings. For most lengths, the managed string for “●…●?” no longer appears in process memory, but for some lengths, there is still a managed string. (Maybe the Windows API function also creates a buffer)
- KeePass now creates some dummy fragments (random fragments containing random characters, approximately the length of the current password) in the process memory. With this, it should be more difficult to determine the correct managed string.
Users can download the unsigned repair version at https://keepass.info/news/n230603_2.54.html for repair. Or wait to download the 2.54 stable version updated by the developer.