KeePass Vulnerability Exposes Password Lists

Thursday, June 28, 2012



Researchers from Vulnerability Lab have discovered a flaw in KeePass which could expose password lists in the current 1.22 issue and older versions.

KeePass is a free open source password manager designed to allow users to better manage multiple login credentials by providing a secure database of logins accessible with a single master password or keystroke.

“Exploitation of the vulnerability requires a manipulated URL with malicious script code, a logging server with chmod 777, a listing file (random) & a KeePass v1.22 user,” Vulnerability Lab explained.

The vulnerability affects the filter/validation mode of the import/export function and could allow an attacker to inject a script while executing the database export.

“The bug will be injected on the remote way, affects the local validation (html/xml) and change the technic back when remotely transferring the password lists. The injection of the malicious URL/domain context can be done via auto save of URLs (victim) or manually (reproduce)," the researchers stated.

Softpedia reports that "an attacker with local access can manipulate the database and execute persistent script code (html/js) within the clean HTML template generated by KeePass Password Manager."

"First, the attacker sends the victim a specially crafted login page that contains a piece of code in the URL’s parameters. This script calls an HTML or a JavaScript which executes a chmod 777 command that gives full permissions to a file when processing local requests. The victim saves the URL via the “auto type engine” module of the application, and later, when he/she wants to export the file as a plain HTML, the malicious script grabs its contents and sends it back to the attacker," the report continued.

Vulnerability Lab researchers have consulted with KeePass developer Domenic Reichl to find a solution to the vulnerability, and stated that the issue will be resolved in the forthcoming release of the KeePass 1.23 version.

Users should exercise caution until the new version is released.


Possibly Related Articles:
Authentication Open Source Application Security Headlines Malicious Code KeePass Password Management exploit vulnerability
Post Rating I Like this!
Daives bursten I highly recommend SplashId , because i have used it myself. Browser integration is fabulous. Also it is very easy to use. As soon as you create your account, you can actually set a pattern for splashid login, therefore you technically have to remember zero passwords. Extremely secure for USB usages as well. highly recommended.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.