CVE-2023-32784 - KeePass Master Password Recovery from Memory Dumps – How It Works and How to Stay Safe

*Published: June 2024*

If you use KeePass to manage your passwords, you might think your master password is fully secure. But, before KeePass 2.54, a vulnerability let attackers recover your master password from the computer’s memory—even if KeePass was locked or closed. This is recognized as CVE-2023-32784. In this post, we'll break down what this means, show you how it happens, and explain how you can protect yourself.

What’s CVE-2023-32784, Exactly?

KeePass is a popular open-source desktop password manager. Versions 2.x before 2.54 are vulnerable to a security flaw: after unlocking the database, most of your master password stays in memory—even after you’ve locked the workspace or exited KeePass. For someone with access to your system, that’s a goldmine.

Why Is This Bad?

- Memory Dump Attack: If an attacker can grab a memory dump—maybe from a live RAM dump, swap file (pagefile.sys), or a hibernation file (hiberfil.sys)—they can sift through it and retrieve your (almost complete) master password.
- Not Just While KeePass is Open: Sometimes the password hangs around in memory even after KeePass has closed.
- First Character Missing: Only the first character can’t be recovered. If your password was Xpa$$wrd!, they’ll see pa$$wrd!.

How Does the Exploit Work?

KeePass processes the master password in a way that leaves a leftover ‘trace’ in memory, specifically when building the composite key components. It temporarily stores parts of the password in strings that .NET’s garbage collection doesn’t clean up immediately—which means much of the password can stick around in plaintext for a while.

Here’s a simplified attack flow

1. Attacker gets a memory dump (of system RAM, process memory, swap/hibernation file).

Proof of Concept:  KeePass Master Password Recovery Tool

A researcher published a KeePass Master Password Dumper on GitHub. Here’s a basic workflow using Python (only for educational/legal use on your own systems):

import re

with open("keepass-memory-dump.bin", "rb") as f:
    data = f.read().decode('latin-1', errors='ignore')

# KeePass stores the master password in memory as Unicode strings
password_candidates = re.findall(r'(?<=pw:)[ -~]{7,}', data)
for pwd in password_candidates:
    print(f"Possible password fragment: {pwd}")

> Note: This is a simplified illustration and may not yield results directly against real dumps, but it shows how straightforward searching memory can be.

Full Tools

- Original Research Thread (Source)
- KeePass Master Password Dumper Tool

Why Did This Happen? (Technical Details)

- Internally, KeePass uses managed strings for parts of the master password’s processing. These managed strings, once created, can stick in memory.

Uses new APIs to avoid keeping the password in memory as managed strings.

- Randomly inserts junk data in memory alongside processing, making it harder to spot the password fragment.

Wipes memory areas right after use.

Reference:  
- KeePass Official Announcement
- KeePass Changelog

Update to KeePass 2.54 or later ASAP.

2. Use full-disk encryption: Even if your password’s in memory, it’s less likely to be compromised if disk hibernation/swap files are encrypted.

Lock your machine: Don’t give others a chance at your logged-in desktop.

4. Minimize hibernation/swap: Consider disabling or encrypting these system files if possible.

In Short…

CVE-2023-32784 is a powerful reminder that even “local only” apps can leak sensitive data. KeePass before version 2.54 leaked almost your whole master password if someone could access your PC’s memory. Luckily, the fix is out: Update KeePass, and you’re safe.

Got questions? Check the official KeePass CVE-2023-32784 advisory and update here.

Timeline

Published on: 05/15/2023 06:15:00 UTC
Last modified on: 05/26/2023 16:25:00 UTC