The popular KeePass password manager has a disturbing exploit that could lead to the theft of your master password.
The security researcher has published a proof of concept that shows how a cybercriminal can extract a user’s master password from the KeePass application memory by exploiting a bug tracked as CVE-2023-3278 .
“KeePass Master Password Dumper is a simple proof-of-concept tool to dump the master password from the KeePass memory. Apart from the first character of the password, it is mostly able to recover the password in plain text” – says the researcher.
No code execution
They added that “No code execution is required on the target system, just a memory dump. It doesn’t matter where the memory comes from – it can be a process dump, a swap file (pagefile.sys), a hibernation file (hiberfil.sys), or a dump of the entire system’s RAM. It doesn’t matter if the workspace is locked or not.
The master password can also be extracted from the system’s RAM after KeePass has been stopped, although the researcher noted that the more time elapses since the application is closed, the less chance of successful extraction.
PoC was tested on Windows, but the researcher says the exploit also works on macOS and Linux versions.
PoC works by using a specially developed text box for password entry, SecureTextBoxEx, which saves the characters entered by the user into system memory. This field is used not only when entering the master password, but also when editing other stored passwords, so they can be compromised as well.
The vulnerability affects KeePass 2.53.1 and any forks (the application is open source) based on the original KeePass 2.X application written in .NET. The researcher claims that KeePassXC, Strongbox and KeePass 1.X, as well as potential other versions, are not affected.
KeePass developer Dominik Reichl confirmed existence of a security vulnerability. AND to fix should arrive in June in version 2.54. However, the risk of being attacked in the wild is somewhat limited.
The researcher claims that if your system is already infected with malware, this exploit can make it easier for them to stay undetected when trying to steal your master password, as no code execution is required. However, if your system is clean, you should be fine because “nobody can remotely steal your passwords over the internet based on this discovery alone,” the researcher states.