Menu

#1705 KeePass XML External Entity Injection (XXE) Vulnerability

KeePass_2.x
closed
nobody
None
5
2018-01-26
2018-01-25
sachin
No

Affected Version

KeePass 2.38

Description:

XML eXternal Entity injection (XXE) is a type of attack against an application that parses XML input. This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning from the perspective of the machine where the parser is located, and other system impacts.

For more details please find attached report.

1 Attachments
Kepass XXE Vulnerability.pdf

Discussion

  • Dominik Reichl

    Dominik Reichl - 2018-01-26
    • status: open --> closed
    • Group: KeePass_1.x --> KeePass_2.x
    • Priority: 7 --> 5
     

  • Dominik Reichl

    Dominik Reichl - 2018-01-26

    KeePass already prohibits DTD processing for KeePass 2.x XML (both for the XML within KDBX files and the import modules related to this XML format). When trying to load your 'xxe.xml' file, KeePass shows the following error message: "For security reasons DTD is prohibited in this XML document.".

    Apparently, you've used some import module for a foreign file format. I've reviewed all of them now. Some of them unnecessarily allowed DTD processing, which I've disabled now. Note this only has an effect when running KeePass under .NET 4.5.1 or earlier, as prohibiting DTD processing already is the default in .NET 4.5.2 and newer.

    Here's the latest development snapshot for testing:
    https://keepass.info/filepool/KeePass_180126.zip

    For exploiting the problem, unusual usage scenarios were required. For example, in order to obtain the contents of a sensitive file, an attacker would need to know the file's path, craft a malicious XML file and send it to the user; the user needs to import this XML file using one of the foreign file format import modules that were affected, save/export the data again to a new file and send the new file back to the attacker. All manually, and the user must look neither at the data in the database nor into any of the files (and must be using .NET 4.5.1 or earlier). Thus, in my opinion this was a very minor vulnerability. Well, it's fixed now; thanks for reporting it!

    Best regards,
    Dominik

     

Log in to post a comment.

MongoDB Logo MongoDB