Hacker News new | past | comments | ask | show | jobs | submit login

How is this a vulnerability, if it needs admin access on the box where the user types the master password? Is there any circumstance in which you could steal someone's password this way but wouldn't be able to do so with a keylogger?



The POC[0] doesn't quite match the CVE description (a rare case of the CVE sounding better), but it looks like KeePass basically is acting as a keylogger due to use of a UI control where every character typed is stored in memory. Your KeePass master password is likely already in your swap/hibernation files.

The master password can be recovered even after KeePass was running.

"No code execution on the target system is required, just a memory dump. It doesn't matter where the memory comes from - can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system. It doesn't matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then."

[0]: https://github.com/vdohney/keepass-password-dumper




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: