KeePass 2.53< Master Password Dumper PoC (CVE-2023-32784) for Linux
Thanks to vdohney for finding this vulnerability and responsibly reporting it, and Dominik Reichl for the great open source software and quick acknowledgement/fix of the issue.
Probably not. This exploit requires access to the /proc
virtual filesystem. Specifically, proc/[pid]/mem
.
As per the proc manfile, access to this file is governed by a ptrace
access mode, PTRACE_MODE_ATTACH_FSCREDS
, which is limited to the root user in most systems.
If a malicious actor already has access to those files, you should have bigger worries.
Please update to KeePass 2.54 as soon as it is released (~July 2023), for it will somewhat mitigate this issue. (Forum)
First it starts by dumping the Keepass' process memory.
The default behaviour will be to scan all /proc/<pid>/cmdline
files and store the pid
of ones with the keyword KeePass
in their commandline argument.
It'll then acquire the adresses of memory maps in /proc/<pid>/maps
that aren't directly associated with a library, meaning they have an empty file path.
It'll then store the memory of all those maps into a buffer by taking advantage of /proc/<pid>/mem
. This would be a primitive behaviour to dump the memory of any process on Linux.
It'll parse the memory to try and find leftover strings from when the user typed his master password, strings that look like so •a, ••s, •••s
, in sequence . The first letter will be missing. You can find some other functionality by looking at the code.
gcc dump_pwd.c -o dump
and you're ready to go.