
Blog: Debunking an RCE which CVSSv3 is 10.0 CVE-2020-35489
Author: Vlad
Published on
At first I intended to limit myself to a simple tweet (https://twitter.com/mynameisv_/status/1618237806442336256) and an email on a private mailing list (those who know, know đ) but given the extent of the subject ⌠here is a blog post đ. In order to end in joy and good humor, you will have the new features of KeePass 2.53 at the end đ.
KeepPass is a wonderful tool wich is a password vault.
Iâll make it short: itâs a tool that allows you to store your passwords locally, securely and requiring you to enter a âmasterâ password to unlock them. Itâs handy for having complex and random passwords for each of your sites, tools, access⌠đ.
To say it another way, it protects your passwords, it protects your buttocks, it âkeeps your assâ⌠thatâs for those who didnât understand the name of this tool đ.
Keepass is great for keeping your secrets safe but for an attacker it can be interesting for two main reasons đ:
This is an old, well-known technique that I have used several times during pentest ensure discreet persistence on the targetđŞ but also to steal the passwords.
For self-promotion, someone tried to report a vulnerability from the feature and since itâs not a vulnerability, itâs âDISPUTEDâ at MITER, i.e. it There is debate on whether or not this is a real vulnerability.
So be careful, Iâm going to put out my best bad faith because this story is totally ridiculous:
And KeePass offers ways to make its configuration a bit more secure: https://keepass.info/help/kb/config_enf .html
The fact remains that if an attacker has access to your computer, even with limited privileges, it is only a matter of time before he have access to everything (except possibly on a Chrome Book concerning the persistence).
The answer is of course: no đ¤Ł, thank you capâtain Obvious!
To compromise KeePass, an attacker must have access to the computer (or, in some cases, to a remote share). If an attacker has access to your computer, even with limited privileges, itâs only a matter of time before they have access to everything (except possibly on a Chrome Book for persistence).
Having a password safe is good, itâs even very good, itâs better than having a single password for all your accounts (Password Reuse my friend enemy), itâs better than having a text or excel file with your passwordsâŚ
If the password vault is used wisely, then you will have unique, long and complex passwords for each site/application, then back it up regularly.
You can also use a safe as a web application like Bitwarden self-hosted or as a pure service (SaaS) like âBitwarden SaaS serviceâ, LastPass, Dashlane, 1Password⌠(and dear reader, before youâre starting to complain about LastPass, yes, an online safe is interesting but requires a prior analysis of the threat because, indirectly, they will have your passwords cf. https://patrowl.io/third-lastpass-hack/)
Very recently, the 2.53 update brought full support for strong authentication based on âOne Time Password / OTPâ by adding it to automatic completion:
The username and password are configured in the classic way here:
For auto-type, itâs here:
You can now add {HMACOTP} and {TIMEOTP} (see screenshot above) in the auto-type configuration and you really have no excuse to use strong authentication anymoređ.
By the way, if you use the OTP from the device from which you entered your password⌠itâs not really strong two-factor authentication (2FA) but rather â1.5 factor or â1.5 FAâ đ . (One of the purpose of strong authentication is to have a separate device generating the OTP because if your device is compromised, the attacker will have your password as well as your second factor⌠đ˘).
Use a Password Vault (local, SaaS, self-hostedâŚ), use strong passwords, use unique password per site/app, use MFA, donât believe what you read on Internet đ.
And if you want to know more about strong authentication (sorry, itâs only in French):
And about password security: