Posted on Oct 9 KeePass is an open-source password management software. It is designed to help users store and manage their passwords and sensitive information for secure access to various online services and applications.KeePass provides a secure database where usernames, passwords, website links, additional instructions, and other custom fields can be stored. This information is protected by encryption and requires a master password or key file to unlock and access.KeePass has released version 2.54, fixing the CVE-2023-32784 vulnerability that allows the extraction of the cleartext master password from the application's Memory.When creating a new KeePass password manager database, users must create a master password, which is used to encrypt the database. When opening the database in the future, users must enter this master key to decrypt it and access the credentials stored within it.This vulnerability exists in KeePass2.x versions prior to 2.54. The reason is that when the content of the KeePass text box is entered, a Managed String is created in its process memory. If its memory is dumped, it will lead to the leakage of the master password.The author chose the KeePass2.53.1 version for vulnerability analysis and verification.Start by entering your 14-character master password.The code that creates the vulnerability is in the KeePass/UI/SecureTextBoxEx.cs file. First, during the input process, when .NET CLR executes the code, a managed string will be generated. The entered characters will be stored in the memory in plain text, and the character entered before the character will be used as a placeholder in chPasswordChar.According to the definition of PasswordCharEx, the placeholder for 64-bit machines is xCFx25.After entering the password, take a memory dump of the process. The author used Windows Task Manager to create a process dump file.Then open the DMP file using a binary editor. Search for placeholder xCFx25 based on known information. As shown in the figure below, it is found that a placeholder appears first, followed by the plaintext character E.Continuing the search, it was found that two placeholders appeared at this time, followed by the plaintext character S.Search slowly according to the above search method and find that the placeholders have increased from 1 to 13. There is a plain text after each string of placeholders. As shown in the figure below, there are 13 placeholders, and the last plain text is G.Using automated analysis tools to discover its placeholder + plaintext binary data results in {UNKNOWN}ESTY_INSBUG. It gives 4 possible results, and the result EST_BY_INSBUG is the last 13 characters of the 14-digit password entered by the author.To sum up, enter a string of passwords in the text box for setting the master password. Except for the first character of the password, which cannot be obtained from the memory, every other character is stored in the memory as a managed string of placeholders + plain text characters. form storage. If you enter 123, the specific form of the managed string that can be obtained in the memory is as follows:xCFx25x32xCFx25xCFx25x33Under the Mono platform (which allows .NET applications to run under Linux and macOS), KeePass2.x can also run, and this problem also exists, so the root problem may be related to the .NET CLR.The KeePass developers’ solution to fix the source code is as follows:When running on Windows, KeePass now calls Windows API functions to directly get/set the text of the text box to avoid creating managed strings. For most lengths, the managed string for "●...●?" no longer appears in process memory, but for some lengths, there is still a managed string. (Maybe the Windows API function also creates a buffer)KeePass now creates some dummy fragments (random fragments containing random characters, approximately the length of the current password) in the process memory. With this, it should be more difficult to determine the correct managed string.Users can download the unsigned repair version at https://keepass.info/news/n230603_2.54.html for repair. Or wait to download the 2.54 stable version updated by the developer.Source :- https://tutorialboy24.blogspot.com/2023/10/keepass-memory-leakage-vulnerability.htmlTemplates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse Jasveen Singh - May 4 '22 Cr0n - Apr 30 '22 Adeoluwa Agbakosi - Mar 30 '22 Ionut - Apr 21 '22 Once suspended, tutorialboy will not be able to comment or publish posts until their suspension is removed. Once unsuspended, tutorialboy will be able to comment and publish posts again. Once unpublished, all posts by tutorialboy will become hidden and only accessible to themselves. If tutorialboy is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to TutorialBoy. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag tutorialboy: tutorialboy consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging tutorialboy will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.