KeePass 2.53< Master Password Dumper PoC (CVE-2023-32784) for Linux
Thanks to vdohney for finding this vulnerability and responsibly reporting it, and Dominik Reichl for the great open source software and quick acknowledgement/fix of the issue.
Probably not. This exploit requires access to the /proc virtual filesystem. Specifically, proc/[pid]/mem.
As per the proc manfile, access to this file is governed by a ptrace access mode, PTRACE_MODE_ATTACH_FSCREDS, which is limited to the root user in most systems.
If a malicious actor already has access to those files, you should have bigger worries.
Please update to KeePass 2.54 as soon as it is released (~July 2023), for it will somewhat mitigate this issue. (Forum)
First it starts by dumping the Keepass' process memory.
The default behaviour will be to scan all /proc/<pid>/cmdline files and store the pid of ones with the keyword KeePass in their commandline argument.
It'll then acquire the adresses of memory maps in /proc/<pid>/maps that aren't directly associated with a library, meaning they have an empty file path.
It'll then store the memory of all those maps into a buffer by taking advantage of /proc/<pid>/mem. This would be a primitive behaviour to dump the memory of any process on Linux.
It'll parse the memory to try and find leftover strings from when the user typed his master password, strings that look like so •a, ••s, •••s, in sequence . The first letter will be missing. You can find some other functionality by looking at the code.
gcc dump_pwd.c -o dump and you're ready to go.
