#1631 Sensitive data on command line is insecure

closed
nobody
None
5
2012-08-14
2012-08-02
Tyler Laing
No

Passing a master password as a command line parameter to KeePass is insecure because the master password can then be easily discovered by other processes during the entire run of KeePass. Because KeePass takes such great efforts to protect sensitive data and because this feature exposes an extremely easy security hole to the most sensitive KeePass data of all (a master password) it seems a defect to feature command line arguments that accept sensitive data.

A possible fix is to accept sensitive data via stdin instead of via command line. If the command line features must remain then it seems to be a documentation defect in (http://keepass.info/help/base/cmdline.html) where the issues should be clearly stated to warn unsuspecting users.

Examples of how to get command line information from other processes:
[1] http://windowsxp.mvps.org/listproc.htm
[2] http://www.codeproject.com/Articles/19685/Get-Process-Info-with-NtQueryInformationProcess
[3] http://stackoverflow.com/questions/821837/how-to-get-the-command-line-args-passed-to-a-running-process-on-unix-linux-syste

Discussion

  • Paul
    Paul
    2012-08-03

    This is not a bug, maybe a feature request.

    cheers, Paul

     
  • Tyler Laing
    Tyler Laing
    2012-08-03

    Given that this issue goes against KeePass' security goals I still view it more as a bug (I did propose a possible fix, but that was more a feature-replacement-request - still that's not the point, the point is the security issue).

    From (http://keepass.info/help/base/security.html):

    "While KeePass is running, sensitive data (like the hash of the master key and entry passwords) is stored encrypted in process memory."

    "Additionally, KeePass erases all security-critical memory when it's not needed anymore, i.e. it overwrites these memory areas before releasing them (this applies to all security-critical memory, not only the password fields)."

    Technically you might argue that what I'm describing is outside of process memory and thus does not fit the above quotes; but nonetheless the issue is certainly counter the security ideals of KeePass.

    As I also mentioned, this could simply be a "documentation bug".

     
  • Paul
    Paul
    2012-08-03

    There is not much KeePass can do once the password is on the command line, but there is the "-pw-enc" option to make the process more secure.

    cheers, Paul

     
  • Tyler Laing
    Tyler Laing
    2012-08-03

    -pw-enc is also sensitive data. It's only slightly more secure; but alas not terribly secure. From the code, I see it uses DataProtectionScope.CurrentUser for encryption which has the following comments:

    // Summary:
    // The protected data is associated with the current user. Only threads running
    // under the current user context can unprotect the data.

    So any process running under the same user context could decrypt it. It's on the command line so it's easy to get. The method of decryption is readily available in KeePass' open source code. However, now we're talking about Specialized Spyware, whereas KeePass states "All security features in KeePass protect against generic threats" [not Specialized Spyware].

    But all of the above is beside the point to the weakness of the -pw command argument feature AND the documentation of it.

    Understandably, removing that feature could break existing work flows. However, if this were concerning enough, it may be worthwhile to remove.

    There certainly is something that can be fairly easily done: update the existing documentation, specifically in: http://keepass.info/help/base/cmdline.html

    One pertinent section of that page is "Starting KeePass using a Batch File" in which is states:

    "You can theoretically simply put the command line (i.e. application path and parameters) into the batch file, BUT THIS IS NOT RECOMMENDED as the command window will stay open until KeePass is closed." (emphasis added by me).

    The gist being that if the command window stays open the master password would be displayed in it in plain text and that's bad. Well, guess what, the master password is still easily gotten even when following that section, yet the reader is not warned, and possibly worse the reader is left incorrectly believing that following its example securely leaves no trace of a plain text master password.

     
  • Dominik Reichl
    Dominik Reichl
    2012-08-14

    The feature is working as intended and the documentation is correct, thus this is no bug. Moving to open feature requests.

     
  • Dominik Reichl
    Dominik Reichl
    2012-08-14

    • status: open --> closed
     
  • Tyler Laing
    Tyler Laing
    2012-08-14

    Thanks for adding the -pw-stdin feature and for updating the documentation. The "Resolution" above states "None" but you indeed resolved this request :-)