Hack KeePass – Extract KeePass master password from Memory using this tool

KeePass is a piece of software that is both open-source and free to use. It is a trusted companion for users of Windows, Linux, and Mac OS X, as well as users of mobile devices. However, a newly found security hole has brought attention to the program, demonstrating that not even the most secure of systems are immune to the possibility of having security problems.

This security flaw, which has been given the identifier CVE-2023-32784, makes it possible for the user’s master password to be dumped from memory even when the user’s workspace is closed or the program is no longer active. The master password is the main key that may be used to unlock the user’s database of passwords. A hostile actor could be able to extract the plain text master password from a memory dump. KeePass 2.x versions previous to 2.54 include this vulnerability. This vulnerability is widespread in KeePass 2.x versions. It’s possible that this is a dump of the KeePass process, but it might also be a swap file, a hibernation file, or even a RAM dump of the whole system. The fact that the initial character of the password cannot be reconstructed is the only minor solace in this situation.

A researcher by the name of vdohney built a proof-of-concept tool and gave it the suitable moniker “KeePass Master Password Dumper” in order to draw attention to this issue. This program provides a clear demonstration of how the master password might be retrieved from KeePass’s memory with the exception of the first character. This can be done without needing code to be executed on the machine that is being targeted, and it can be done even if the workspace is locked or if KeePass is no longer operating.

When entering passwords, KeePass 2.X makes use of a text box that was built specifically for it called SecureTextBoxEx. This text box is utilized not just for the insertion of the master password, but also in other locations in KeePass, such as password edit boxes (which means that the attack may also be used to retrieve the contents of other password edit boxes).

The vulnerability that is being exploited here is the fact that a leftover string is formed in memory for each character that is entered. Because of the way that.NET operates, once an instance of it has been created, it is very difficult to delete it. For instance, when the word “Password” is entered, it will leave behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept program looks through the dump to find these patterns and suggests a possible character to use for each location in the password.

The reliability of this attack is susceptible to change based on the manner in which the password was written as well as the number of passwords that were input within a single session. However, it appears that the way.NET CLR creates these strings implies that they are likely to be well ordered in memory. This is true even if there are numerous passwords used for a single session or if there are errors in the passwords. Therefore, if three distinct passwords were entered, you have a good chance of getting three options for each character place in that sequence. This enables you to recover all three passwords if they were entered.

Should You Be Concerned About This?
It is dependent on the threat model you choose. This discovery does not significantly worsen your condition if your machine is already infected with malware that is operating in the background with the rights of your user. On the other hand, in contrast to KeeTheft and KeeFarce, there is no need for any kind of process injection or other code execution for the malware to be stealthy and dodge the antivirus software. This may make it simpler for the malware.

It might be a problem if you have a reasonable suspicion that someone could get access to your computer and undertake forensic examination. Even if KeePass is completely shut down or secured, it is still possible for the master password to be rediscovered. This is the worst-case situation.

If you have a clean machine and utilize full disk encryption with a strong password, you should be OK. Because to this discovery, it will be impossible for anybody to steal your credentials remotely over the internet.