CVE-2023-32784: Flaw could let attackers dump the master password from KeePass’s memory

by do son · Published May 15, 2023 · Updated May 18, 2023

In an age where cyber threats are omnipresent, password managers such as KeePass Password Safe have gained popularity for their ability to securely store and manage our growing roster of passwords. This free, open-source software has been a trusted companion for Windows, Linux, Mac OS X users, and even those on mobile devices. However, a recently discovered security vulnerability has thrown a spotlight on the software, revealing that even the most secure systems are not impervious to security flaws.

Dubbed CVE-2023-32784, this security bug exposes a loophole that allows for the master password – the primary key to unlock the user’s database of passwords – to be dumped from memory, even when the workspace is locked or the application is no longer running.

Detail of CVE-2023-32784

This flaw, prevalent in KeePass 2.x versions prior to 2.54, could potentially allow a malicious actor to recover the clear text master password from a memory dump. This could be a KeePass process dump, a swap file, a hibernation file, or even a RAM dump of the entire system. The only small consolation is that the first character of the password remains unrecoverable.

To bring this vulnerability to light, a researcher known as vdohney developed a proof-of-concept tool aptly named “KeePass Master Password Dumper”. This tool effectively demonstrates how, barring the first character, the master password could be dumped from KeePass’s memory. This can be accomplished without requiring code execution on the targeted system and is possible regardless of whether the workspace is locked or if KeePass is no longer running.

A Closer Look at the Mechanics

The custom-developed text box, SecureTextBoxEx, used by KeePass 2.X for password entry is at the heart of this vulnerability. This text box is not limited to master password entry; it also features in other areas of KeePass, such as password edit boxes.

The exploit hinges on the creation of a leftover string in memory for every character typed into this text box. Given the intricacies of .NET, it becomes nearly impossible to eliminate these strings once they are created. For instance, typing the password “Password” would result in the creation of the following leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept application searches the memory dump for these patterns and suggests a probable password character for each position.

The exploit’s reliability can vary depending on how the password was typed and the number of passwords entered per session. However, vdohney discovered that even when multiple passwords were typed per session or typos were made, the ordering of these strings in memory by the .NET CLR could potentially allow for the recovery of all passwords.

While the vulnerability has since been mitigated in KeePass 2.54 through different API usage and/or random string insertion, the existence of such a flaw underscores the need for continual vigilance and regular updates in the realm of cybersecurity. Even as we entrust our digital keys to password managers, we must not forget that they too, are not invincible.

Update: May 18th

This vulnerability also affects Linux and macOS systems. The PoC is available here.