#1462 Two-Channel Auto-Type Obfuscation Bypass

KeePass_2.x
closed
nobody
5
2016-01-09
2016-01-08
No

Hello,

I identified a security issue within the Two-Channel Auto-Type Obfuscation functionality, KeePass is using the old clipboard chain to block applications from receiving events from the clipboard chain, statements in the FAQ [1] only applies to Windows XP or lower, the protection given by the two-channel auto-type obfuscation is ineffective from Windows Vista or higher.

I have made a 18-line keylogger which is using AddClipboardFormatListener function from the win32 API [2] to bypass this protection and capture the clipboard contents from the splitted secret.

Old clipboard viewer linked list is not longer recommended since 2011 [3]

Thanks,

[1] http://keepass.info/help/v2/autotype_obfuscation.html
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/ms649033(v=vs.85).aspx
[3] https://blogs.msdn.microsoft.com/oldnewthing/20110919-00/?p=9613

Related

Bugs: #1462

Discussion

  • Paul

    Paul - 2016-01-08

    Isn't that the point of TCATO, clipboard spies can only get part of the password?

    cheers, Paul

     
  • Dominik Reichl

    Dominik Reichl - 2016-01-08

    The point of TCATO is to split the data such that one part is transferred using the keyboard only (simulated keypresses) and one part using the clipboard. The blocking of clipboard events is just a bonus; TCATO is effective even without it.

    In order to prevent confusion in the future, I've now removed the section about clipboard event blocking from the help page. As you correctly noticed, since Windows Vista there is a way to circumvent the blocking anyway.

    Thanks and best regards,
    Dominik

     
  • Dominik Reichl

    Dominik Reichl - 2016-01-08
    • status: open --> closed
    • private: Yes --> No
    • Priority: 7 --> 5
     
    • Daniel Correa

      Daniel Correa - 2016-01-08

      <html><head></head><body lang="es-ES" style="background-color: rgb(255, 255, 255); line-height: initial;">

      Hello Dominik, Paul

      TCATO is not effective if you can capture both keypresses ‎and clipboard data, old clipboard chain avoid this issue but as stated before it does not work as expected since Windows Vista.

      Again, statements from the FAQ are inaccurate as you are relying in the splitted secret contained in the clipboard: "TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard."

      If required I can provide you with a short video capturing the whole secret using TCATO.

      Thanks,

      --
      Regards,
      Daniel Correa
      De: Dominik Reichl
      Enviado: viernes, 8 de enero de 2016 07:13 a.m.
      Para: [keepass:bugs]
      Responder a: [keepass:bugs]
      Asunto: [keepass:bugs] #1462 Two-Channel Auto-Type Obfuscation Bypass


      • status: open --> closed

      • private: Yes --> No

      • Priority: 7 --> 5

      • Comment:


      The point of TCATO is to split the data such that one part is transferred using the keyboard only (simulated keypresses) and one part using the clipboard. The blocking of clipboard events is just a bonus; TCATO is effective even without it.


      In order to prevent confusion in the future, I've now removed the section about clipboard event blocking from the help page. As you correctly noticed, since Windows Vista there is a way to circumvent the blocking anyway.


      Thanks and best regards,

      Dominik




      [bugs:#1462] Two-Channel Auto-Type Obfuscation Bypass


      Status: closed

      Group: KeePass_2.x

      Labels: security windows

      Created: Fri Jan 08, 2016 12:33 AM UTC by Daniel Correa

      Last Updated: Fri Jan 08, 2016 08:01 AM UTC

      Owner: nobody


      Hello,


      I identified a security issue within the Two-Channel Auto-Type Obfuscation functionality, KeePass is using the old clipboard chain to block applications from receiving events from the clipboard chain, statements in the FAQ [1] only applies to Windows XP or lower, the protection given by the two-channel auto-type obfuscation is ineffective from Windows Vista or higher.


      I have made a 18-line keylogger which is using AddClipboardFormatListener function from the win32 API [2] to bypass this protection and capture the clipboard contents from the splitted secret.


      Old clipboard viewer linked list is not longer recommended since 2011 [3]


      Thanks,


      [1] http://keepass.info/help/v2/autotype_obfuscation.html

      [2] https://msdn.microsoft.com/en-us/library/windows/desktop/ms649033(v=vs.85).aspx

      [3] https://blogs.msdn.microsoft.com/oldnewthing/20110919-00/?p=9613




      Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/keepass/bugs/1462/


      To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/


      </body></html>

       

      Related

      Bugs: #1462

  • Paul

    Paul - 2016-01-08

    Nobody said TCATO was completely secure, it's just one more tool in your arsenal.

    cheers, Paul

     
  • Dominik Reichl

    Dominik Reichl - 2016-01-08

    Obviously, TCATO is useless when a spyware captures both channels (keyboard and clipboard). It is only effective against spyware that is either a standard keylogger or a clipboard spy, as mentioned in the introductory section of the TCATO help page.

    Best regards,
    Dominik

     
  • T. Bug Reporter

    T. Bug Reporter - 2016-01-09

    So, does this mean that the statement on the TCATO page that

    None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process

    is no longer true - or no longer relevant, in that any halfway competent script kiddie can now cobble together a homebrew program to defeat this by capturing both channels at once?

     
  • Daniel Correa

    Daniel Correa - 2016-01-09

    I agree with T. Bug Reporter, it is not theoretically possible but practically possible as I have now a dedicated software that capture both channels. It would only apply to Windows XP or lower as there is no way to capture the clipboard contents.

    Specialized spyware section is just a way to protect those security concepts of KeePass from this kind of issues, but a specialized software could be converted in a standard one.

    Regards,

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks