KeePass, ultra-mega-giga critical vulnerability 🤦‍♂️

At first I intended to limit myself to a simple tweet (https://twitter.com/mynameisv_/status/1618237806442336256) and an email on a private mailing list (those who know, know 😉) but given the extent of the subject … here is a blog post 😒. In order to end in joy and good humor, you will have the new features of KeePass 2.53 at the end 😉.

KeepPass is a wonderful tool wich is a password vault.

I’ll make it short: it’s a tool that allows you to store your passwords locally, securely and requiring you to enter a “master” password to unlock them. It’s handy for having complex and random passwords for each of your sites, tools, access… 👍.

To say it another way, it protects your passwords, it protects your buttocks, it “keeps your ass”… that’s for those who didn’t understand the name of this tool 😉.

The weaknesses of KeePass

Keepass is great for keeping your secrets safe but for an attacker it can be interesting for two main reasons 😉:

• If I compromise the user computer and have enough privileges to access the Keepass database, then I will have ALL of its secrets (which I retrieve in memory with tools like KeeFarce or KeeThief or SharpClipHistory most recent, or on disk waiting for the user to enter their password and capturing it with a keylogger…)
• If I compromise the user computer and I have written permissions on the KeePass configuration file, I can ask him to trigger an action, such as a command execution, following an event such as when it is opened, when a password database is opened, when it is closed… (which can be done manually or with tools like the recent KeePwn) The second case has been known since 2015, at least (for those on the mailing list, I refer you to the 2015 emails “KeeFarce: software that extracts data from Keepass” and “Security KeeThief, to steal the content of a KeePass”).

This is an old, well-known technique that I have used several times during pentest ensure discreet persistence on the target💪 but also to steal the passwords.

CVE-2023-24055

For self-promotion, someone tried to report a vulnerability from the feature and since it’s not a vulnerability, it’s “DISPUTED” at MITER, i.e. it There is debate on whether or not this is a real vulnerability.

So be careful, I’m going to put out my best bad faith because this story is totally ridiculous:

• Word, Excel, PowerPoint… have the same kind of functionality (code execution) with Macros
• Outlook, which you have almost all the time open, has the same kind of functionality with Addins
• Photoshop, Illustrator… have the same kind of functionality with plugins
• Firefox, Chrome… have the same kind of functionality with plugins So yes, KeePass can be misused and all your passwords can be recovered, but it’s been known and documented for years: https://keepass.info/help/kb/sec_issues.html#cfgw

And KeePass offers ways to make its configuration a bit more secure: https://keepass.info/help/kb/config_enf.html

The fact remains that if an attacker has access to your computer, even with limited privileges, it is only a matter of time before he have access to everything (except possibly on a Chrome Book concerning the persistence).

Does this challenge KeePass and having a local vault?

The answer is of course: no 🤣, thank you cap’tain Obvious!

To compromise KeePass, an attacker must have access to the computer (or, in some cases, to a remote share). If an attacker has access to your computer, even with limited privileges, it’s only a matter of time before they have access to everything (except possibly on a Chrome Book for persistence).

Having a password safe is good, it’s even very good, it’s better than having a single password for all your accounts (Password Reuse my friend enemy), it’s better than having a text or excel file with your passwords…

If the password vault is used wisely, then you will have unique, long and complex passwords for each site/application, then back it up regularly.

You can also use a safe as a web application like Bitwarden self-hosted or as a pure service (SaaS) like “Bitwarden SaaS service”, LastPass, Dashlane, 1Password… (and dear reader, before you’re starting to complain about LastPass, yes, an online safe is interesting but requires a prior analysis of the threat because, indirectly, they will have your passwords cf. https://patrowl.io/third-lastpass-hack/)

Very recently, the 2.53 update brought full support for strong authentication based on “One Time Password / OTP” by adding it to automatic completion:

The username and password are configured in the classic way here:

For auto-type, it’s here:

You can now add {HMACOTP} and {TIMEOTP} (see screenshot above) in the auto-type configuration and you really have no excuse to use strong authentication anymore😄.

By the way, if you use the OTP from the device from which you entered your password… it’s not really strong two-factor authentication (2FA) but rather “1.5 factor or “1.5 FA” 😅. (One of the purpose of strong authentication is to have a separate device generating the OTP because if your device is compromised, the attacker will have your password as well as your second factor… 😢).

Use a Password Vault (local, SaaS, self-hosted…), use strong passwords, use unique password per site/app, use MFA, don’t believe what you read on Internet 😄.

And if you want to know more about strong authentication (sorry, it’s only in French):

• Blog: Bypassing Office 365 Strong Authentication (MFA) in 3 Lines (and Fixing It 😉) https://patrowl.io/bypass-strong-authentication-doffice-365-mfa-en-3-lines-and-fix-it-%f0%9f%98%89/
• Blog: Strong authentication is good, secure is better https://patrowl.io/strong-authentication-is-good-when-it-is-secured-it-is-better/

And about password security:

• Blog: The Password Strength Chart https://patrowl.io/le-tableau-de-la-resistance-des-mots-de-passe/
• Blog: Breaking password condensates… without violence https://patrowl.io/breaking-password-dums-pass-without-violence/