Exploit for CVE-2023-32784 exploit

Share

## https://sploitus.com/exploit?id=53D8970C-4372-5226-902B-B571B5A70FBA # KeePass 2.53< Master Password Dumper PoC ([CVE-2023-32784](https://vulners.com/cve/CVE-2023-32784)) for Linux Thanks to [vdohney](https://github.com/vdohney) for finding this vulnerability and responsibly reporting it, and Dominik Reichl for the great open source software and quick acknowledgement/fix of the issue. ## Should I be worried ? Probably not. This exploit requires access to the `/proc` virtual filesystem. Specifically, `proc/[pid]/mem`. As per the proc manfile, access to this file is governed by a `ptrace` access mode, `PTRACE_MODE_ATTACH_FSCREDS`, which is limited to the root user in most systems. If a malicious actor already has access to those files, you should have bigger worries. ## Fix pls ? Please update to KeePass 2.54 as soon as it is released (~July 2023), for it will somewhat mitigate this issue. ([https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/#37b9](Forum)) ## How does it work ? First it starts by dumping the Keepass' process memory. The default behaviour will be to scan all `/proc/<pid>/cmdline` files and store the `pid` of ones with the keyword `KeePass` in their commandline argument. It'll then acquire the adresses of memory maps in `/proc/<pid>/maps` that aren't directly associated with a library, meaning they have an empty file path. It'll then store the memory of all those maps into a buffer by taking advantage of `/proc/<pid>/mem`. This would be a primitive behaviour to dump the memory of any process on Linux. The rest is functionally equal to vdohney's PoC implementation, it'll parse the memory to try and find leftover strings from when the user typed his master password, that look like so `•a, ••s, •••s`. The first letter will be missing, this may not work every time, as it depends on how the user typed his password. You can find some other functionality by looking at the code or implementing your own. `gcc dump_pwd.c -o dump` and you're ready to go. ## Why does it work ? In short, KeePass' custom text box, [`SecureTextBoxEx`](https://github.com/dlech/KeePass2.x/blob/a1555354f2e262cf185605426a79d216558f1243/KeePass/UI/SecureTextBoxEx.cs#L35), creates leftover strings in memory. This seems to be because of the temporary strings created while processing user input and updating the TextBox display. Perhaps because of the conversion of the StringBuilder as a string, or maybe setting `this.Text` and modifying the text content. Although the garbage collector will eventually clean up these residual strings, they persist temporarily in memory. The creator seems to have fixed it on Windows by using different WinAPI functions for getting/setting the TextBox directly, but he reports they still persist for some lenghts, so this might be a Windows/Mono issue, we'll have to see with the next release. More interesting than the PoC itself, would be to fully understand why this happens. `"n1c3P4ssbr0!"`  ### What else ? This is just a PoC done in a couple of hours so not exactly the definition of stable. Due to the vulnerability, you might also get some thrash if the user deletes characters, or has a long password. You're free to open a PR to add functionality or fix any issues. For malicious purposes only, batteries not included, this is not financial advice and all opinions are my employer's.