Many KeePas settings can be changed WITHOUT entering Master Password

Ad Hoc
2013-02-08
2013-02-09
  • Ad Hoc

    Ad Hoc - 2013-02-08

    I am running KeePass 1.25 in Win7Pro x64. I have found that one can load the app and access many items in the File, View, Tools, and Help menus (including "Options", "Repair KeePass Database File", "Check for Updates", etc) without having to enter the master password. This allows for changes of the app by unauthorized users with access to the computer and is a major security issue. The fix for it should be extremely simple to implement (i.e., verify status of flag signalling that a password has been entered and vetted before any menu item can be accessed) and should be released ASAP.

     
    Last edit: Ad Hoc 2013-02-08
  • wellread1

    wellread1 - 2013-02-08

    I have found that one can load the app and access many items in the File, View, Tools, and Help menus (including "Options", "Repair KeePass Database File", "Check for Updates", etc) without having to enter the master password.

    The devil is in the details. The settings you are referring to are installation specific settings and are independent of the principal mechanism KeePass uses for database security (i.e. the Master Key and Database encryption). To take as an example the two settings that you referred to: "Repair KeePass Database File" can't be completed unless you have the Master Key; "Check for Updates" will take you to the developer's download site with whom you have a trust relationship already.

    unauthorized users with access to the computer ... is a major security issue

    Above is the actual problem. This problem is independent and outside the scope of KeePass because a successful malicious attack on your computer compromises everything on the computer including KeePass whether the interface is protected or not. The KeePass interface does what it can to help the user maintain a secure Database by allowing the user to specify a lock interval, etc. But ultimately, the user is responsible to implement the necessary global measures (e.g. anti-malware, limiting physical access, safe browsing techniques etc.) to ensure the overall security of their computer.

     
    • Ad Hoc

      Ad Hoc - 2013-02-08

      I have found that one can load the app and access many items in the File, View, Tools, and Help menus (including "Options", "Repair KeePass Database File", "Check for Updates", etc) without having to enter the master password.

      The devil is in the details.

      Indeed. And in more ways that you appear to imagine. For instance, opportunistically, a malicious third party could load the app, open Options, and change the bottom-most setting in the Security tab so that new entries expire in 1 day by default (a condition in which the app is most unlikely to be used routinely). If the user has installed KeePass with this setting OFF and does not check the status of all the options before running the app --two conditions more than likely to apply to the typical user--, such a setting change can result in the loss of subsequent database entries.

      Or, to envision another instance, a setting can also be changed without requiring master password vetting so that the app is minimized, instead of closed, when clicking on the X button (see GUI tab). In this situation, a user who clicks on the close button of the app because he/she abruptly has to move away from the computer for a period of time will be leaving all the passwords exposed in the minimized app.

      The settings you are referring to are installation specific settings and are independent of the principal mechanism KeePass uses for database security (i.e. the Master Key and Database encryption). To take as an example the two settings that you referred to: "Repair KeePass Database File" can't be completed unless you have the Master Key; "Check for Updates" will take you to the developer's download site with whom you have a trust relationship already.

      Given the fact I have described how a very simple change, which [i] does not require the master password and [ii] is not installation specific but can be made at will any time, can make the user loose his or her subsequent database entries after said change, your argument clearly is off the mark.

      unauthorized users with access to the computer ... is a major security issue

      Above is the actual problem. This problem is independent and outside the scope of KeePass because a successful malicious attack on your computer compromises everything on the computer including KeePass whether the interface is protected or not. The KeePass interface does what it can to help the user maintain a secure Database by allowing the user to specify a lock interval, etc. But ultimately, the user is responsible to implement the necessary global measures (e.g. anti-malware, limiting physical access, safe browsing techniques etc.) to ensure the overall security of their computer.

      With due respect, I hope you aren't the programmer in charge for KeePass. To shift to the user the onus of protecting many settings of a software that for most of its actions does demand a master password seems a short-sighted, if not lazy, approach. Even more when the fix for that could not be simpler: the checking of a flag status. And even still more in a case when settings that the author explicitly recommends to avoid are left vulnerable to malicious change. I have not taken a look at the API specs, but allowing for non-password vetted changes enabling remote control and always granting full access via remote control is, in principle, poor programming policy.

      Cheers

       
  • wellread1

    wellread1 - 2013-02-09

    It is true that mischief makers can inconvenience a user by diddling with KeePass settings. They can also change the settings so that the Database does not lock or close as the user configured it. This increases the risk of compromise somewhat, but is not of itself damaging. Additional malicious steps are required. Vigilance, good general computer security hygiene, and familiarity with KeePass operation will protect against escalation of these types of attacks.

    If you are still concerned about the ability change these setting and you run as a Standard User then consider using an enforced configuration file. KeePass disables the UI for many settings when they are loaded from a KeePass.config.enforced.xml. The KeePass.config.enforced.xml must be write protected to prevent modification.

    To expand a little on the subject of compromised computers: Once a computer is compromised the most likely attack vectors are not affected by KeePass settings. Malicious software can attack a briefly opened database regardless of KeePass auto lock or close settings. Malicious software could install a key logger to harvest login credentials wherever they are used, it could install KeePass emulators or custom builds of KeePass that harvest your Master Key, or it could save an unprotected version of your database and steal it. I suspect the authors of malicious software have found far more creative ways of obtaining sensitive information than either you or I imagine.

    The upshot of this is that if your computer is compromised it is not safe to run KeePass...period. The most effective way of to prevent this catastrophe is with security measures directed at preventing and protecting the computer as a whole (anti-malware, appropriate OS security, physical security, etc.).

    P.S. Entry data is not lost when it expires, it is marked expired.

     
  • Paul

    Paul - 2013-02-09

    Ad-hoc, you are welcome to make the suggested changes and release an alternate version of KeePass. That is the point of open source software, if you see room for improvement, you can make it.

    cheers, Paul

     
  • Dominik Reichl

    Dominik Reichl - 2013-02-09

    There already exists a plugin that disables various menu items and options while no database is opened: https://github.com/TLHobbes/OptionLock

    However, this does not increase security at all. It gives a false sense of security to users and furthermore can lead to usability problems/deadlocks.

    I agree with all the statements by wellread1. I also wrote a bit about this in the section 'Specialized Spyware' here: http://keepass.info/help/base/security.html#secspecattacks

    Best regards,
    Dominik

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks