A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under specific circumstances.
“Apart from the first password character, it is mostly able to recover the password in plaintext,” security researcher “vdhoney,” who discovered the flaw and devised a PoC, said. “No code execution on the target system is required, just a memory dump.”
“It doesn’t matter where the memory comes from,” the researcher added, stating, “it doesn’t matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it’s been since then.”
It’s worth noting that successful exploitation of the flaw banks on the condition that an attacker has already compromised a potential target’s computer. It also requires that the password is typed on a keyboard, and not copied from a clipboard.
vdhoney said the vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory.
This leads to a scenario whereby an attacker could dump the program’s memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.
The disclosure comes a few months after another medium-severity flaw (CVE-2023-24055) was uncovered in the open source password manager that could be potentially exploited to retrieve cleartext passwords from the password database by leveraging write access to the software’s XML configuration file.
KeePass has maintained that the “password database is not intended to be secure against an attacker who has that level of access to the local PC.”
It also follows findings from Google security research that detailed a flaw in password managers such as Bitwarden, Dashlane, and Safari, which can be abused to auto-fill saved credentials into untrusted web pages, leading to possible account takeovers.