A proof-of-concept (PoC) was made available for a security flaw impacting the KeePass password manager which could be exploited to recover a victim’s master password in clear text under certain circumstances.
“Regardless of the first password character, most can recover passwords in plain text,” security researcher “vdohney,” who found the flaw and compiled the PoC, said. “No code execution required on the target system, just a memory dump.”
“It doesn’t matter where the memory comes from,” the researcher added, stating, “it doesn’t matter whether the workspace is locked or not. It is also possible to dump passwords from RAM after KeePass is no longer running, although the chance of it working has decreased over time since then. .”
It should be noted that successful flawed bank exploits are provided that the attacker has compromised the potential target’s computer. It also requires that the password is typed on the keyboard, and not copied from the device’s clipboard.
vdohney said the vulnerability had to do with how the custom textbox field used to enter the master password handled user input. In particular, it has been found to leave a trace of every character the user types in the program’s memory.
This leads to a scenario where an attacker can waste program memory and reassemble the password in plain text with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.
The disclosure occurred several months after another moderate severity weakness (CVE-2023-24055) Formerly uncovered in a potentially exploitable open source password manager to retrieve cleartext passwords from a password database by leveraging write access to the software’s XML configuration file.
KeePass has maintained that “password databases are not intended for security against attackers having that level of access to local PCs.”
It also follows the findings from Google’s security research detailed a weakness in password managers such as Bitwarden, Dashlane, and Safari, which could be abused to autofill saved credentials to untrusted web pages, leading to possible account takeovers.