An exploit can reveal your KeePass master password in plaintext

I didn&#x27;t find it so scary due to the fact that it requires the attacker to read process memory. But then they pointed out that if the process memory gets paged to disk, then an attacker can recover the password from disk, which is admittedly scarier.<p>Still, it does require the attacker to either have root on your machine or physical access to your disk. If the attacker has root on your machine, it&#x27;s game over anyway. You can mitigate the threat of recovering the password from your disk by using disk encryption.<p>Even when I hear about KeePass vulnerabilities, they&#x27;re always substantially less severe than the attacks we see on LastPass and other web-hosted password managers where an attacker can exfiltrate bulk credentials at once by compromising a server.

&gt;KeePassXC... which are other password managers compatible with KeePass database files, are not affected according to vdohney.<p>Great.

The source is <a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;keepass-explo...</a> (as referenced in the article). It goes into more technical detail, and skips the antivirus sales pitch.

Mods: the title should be changed to make it clear it&#x27;s the KeePass app for Windows, not the KeePass vault format as used by many applications. It is not an exploit Keypass which is the encrypted vault used by many applications - but a single client.

The actual vulnerability:<p>&gt; KeePass 2.X uses a custom-developed text box for password entry, SecureTextBoxEx. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents).<p>&gt; The flaw exploited here is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when &quot;Password&quot; is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The POC application searches the dump for these patterns and offers a likely password character for each position in the password.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;vdohney&#x2F;keepass-password-dumper">https:&#x2F;&#x2F;github.com&#x2F;vdohney&#x2F;keepass-password-dumper</a>

First significant vuln for KeePass in awhile. Still a better threat model than cloud.

I think it&#x27;s time to change the 90s-inspired security recommendations.<p>I work from home. I feel much safer with my password written on a piece of paper than with a password manager. God forbid the password manager is cloud-enabled.

Windows has protected memory APIs to protect against precisely this kind of vulnerability. A simple method is to mark the &quot;secure string storage&quot; area as locked in memory, and hence not eligible for paging to disk.

My password is a combination of creating a complex password and forgetting it + the &#x27;Forgot password&#x27; button, Is anyone on the same ship?

Vulnerable vs not list, to make it more prominent:<p>&gt;<i>All existing versions of KeePass 2.x (e.g., 2.53.1) are affected. Meanwhile, KeePass 1.x (an older edition of the program that’s still being maintained), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected according to vdohney.</i>

Isn&#x27;t it a bit unusual to release the details of an exploit before a fix is released?<p>The author of the software seems to be cooperating to release a fix, I would think making it public would help people who would exploit this maliciously.

Perhaps it is possible to avoid having the plaintext in memory at all?<p>- Only compare the crypttexts, never the plaintexts<p>- For input use a modified input field to minimize the time the plaintext kept in memory then wipe the memory used by the input field before releasing the memory<p>- If possible ask the OS never to swap the memory used by the input field

I&#x27;m a little surprised the article doesn&#x27;t mention using a key file in conjunction with a password as an added security measure.

This is not a vulnerability because once you have the same privileges as the user, the game is over.