Platform
29 January 2023 Blog Vlad
KeePass, ultra-mega-giga critical vulnerability đ€Šââïž
Ce contenu vous plait
Partagez-le sur les réseaux
At first I intended to limit myself to a simple tweet (https://twitter.com/mynameisv_/status/1618237806442336256) and an email on a private mailing list (those who know, know đ) but given the extent of the subject ⊠here is a blog post đ. In order to end in joy and good humor, you will have the new features of KeePass 2.53 at the end đ.
KeePass? What is that?
KeepPass is a wonderful tool wich is a password vault.
Iâll make it short: itâs a tool that allows you to store your passwords locally, securely and requiring you to enter a âmasterâ password to unlock them. Itâs handy for having complex and random passwords for each of your sites, tools, access⊠đ.
To say it another way, it protects your passwords, it protects your buttocks, it âkeeps your assâ⊠thatâs for those who didnât understand the name of this tool đ.
Ultra mega giga critical vulnerability CVE-2023-24055
The weaknesses of KeePass
Keepass is great for keeping your secrets safe but for an attacker it can be interesting for two main reasons đ:
- If I compromise the user computer and have enough privileges to access the Keepass database, then I will have ALL of its secrets (which I retrieve in memory with tools like KeeFarce or KeeThief or SharpClipHistory most recent, or on disk waiting for the user to enter their password and capturing it with a keyloggerâŠ)
- If I compromise the user computer and I have written permissions on the KeePass configuration file, I can ask him to trigger an action, such as a command execution, following an event such as when it is opened, when a password database is opened, when it is closed⊠(which can be done manually or with tools like the recent KeePwn) The second case has been known since 2015, at least (for those on the mailing list, I refer you to the 2015 emails âKeeFarce: software that extracts data from Keepassâ and âSecurity KeeThief, to steal the content of a KeePassâ).
This is an old, well-known technique that I have used several times during pentest ensure discreet persistence on the targetđȘ but also to steal the passwords.
CVE-2023-24055
For self-promotion, someone tried to report a vulnerability from the feature and since itâs not a vulnerability, itâs âDISPUTEDâ at MITER, i.e. it There is debate on whether or not this is a real vulnerability.
So be careful, Iâm going to put out my best bad faith because this story is totally ridiculous:
- Word, Excel, PowerPoint⊠have the same kind of functionality (code execution) with Macros
- Outlook, which you have almost all the time open, has the same kind of functionality with Addins
- Photoshop, Illustrator⊠have the same kind of functionality with plugins
- Firefox, Chrome⊠have the same kind of functionality with plugins So yes, KeePass can be misused and all your passwords can be recovered, but itâs been known and documented for years: https://keepass.info/help/kb/sec_issues.html#cfgw
And KeePass offers ways to make its configuration a bit more secure: https://keepass.info/help/kb/config_enf.html
The fact remains that if an attacker has access to your computer, even with limited privileges, it is only a matter of time before he have access to everything (except possibly on a Chrome Book concerning the persistence).
Does this challenge KeePass and having a local vault?
The answer is of course: no đ€Ł, thank you capâtain Obvious!
To compromise KeePass, an attacker must have access to the computer (or, in some cases, to a remote share). If an attacker has access to your computer, even with limited privileges, itâs only a matter of time before they have access to everything (except possibly on a Chrome Book for persistence).
Having a password safe is good, itâs even very good, itâs better than having a single password for all your accounts (Password Reuse my friend enemy), itâs better than having a text or excel file with your passwordsâŠ
If the password vault is used wisely, then you will have unique, long and complex passwords for each site/application, then back it up regularly.
You can also use a safe as a web application like Bitwarden self-hosted or as a pure service (SaaS) like âBitwarden SaaS serviceâ, LastPass, Dashlane, 1Password⊠(and dear reader, before youâre starting to complain about LastPass, yes, an online safe is interesting but requires a prior analysis of the threat because, indirectly, they will have your passwords cf. https://patrowl.io/third-lastpass-hack/)
Update 2.53
Very recently, the 2.53 update brought full support for strong authentication based on âOne Time Password / OTPâ by adding it to automatic completion:
The username and password are configured in the classic way here:
For auto-type, itâs here:
You can now add {HMACOTP} and {TIMEOTP} (see screenshot above) in the auto-type configuration and you really have no excuse to use strong authentication anymoređ.
By the way, if you use the OTP from the device from which you entered your password⊠itâs not really strong two-factor authentication (2FA) but rather â1.5 factor or â1.5 FAâ đ . (One of the purpose of strong authentication is to have a separate device generating the OTP because if your device is compromised, the attacker will have your password as well as your second factor⊠đą).
So...
Use a Password Vault (local, SaaS, self-hostedâŠ), use strong passwords, use unique password per site/app, use MFA, donât believe what you read on Internet đ.
And if you want to know more about strong authentication (sorry, itâs only in French):
- Blog: Bypassing Office 365 Strong Authentication (MFA) in 3 Lines (and Fixing It đ) https://patrowl.io/bypass-strong-authentication-doffice-365-mfa-en-3-lines-and-fix-it-%f0%9f%98%89/
- Blog: Strong authentication is good, secure is better https://patrowl.io/strong-authentication-is-good-when-it-is-secured-it-is-better/
And about password security:
- Blog: The Password Strength Chart https://patrowl.io/le-tableau-de-la-resistance-des-mots-de-passe/
- Blog: Breaking password condensates⊠without violence https://patrowl.io/breaking-password-dums-pass-without-violence/