Using ASLR with High Entropy to negate KeeThief and other malware.
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Hi Dreichl
First of all congratulate you for this great project. Despite being a "fan" of security, it was not until recently that I ended up being a "fanatic" of KeePass too.
After reading long and hard (I'm still on it) about possible attacks and mitigations that could be affected / implemented, I stumbled as expected with KeeThief. Of course I read the original article and also your description of the "problem".
The option to eliminate the Master Password in Memory solves the problems derived from having it in it, and it works well as long as KeePass does not require it. Looking at the code however, I've noticed that ASLR is being applied by default with low entropy. In 64bit systems the use of HEASLR (buttom-up) can be enforced, which not only solves (in principle) the KeeThief problem, but adds an additional important layer for other possible attack vectors too, making it much more complicated to "guess" critical memory addresses.
By doing some tests on my system, the simple use of HEASLR (at compile time or even forcing it in the configuration panel of Windows 10) is enough to make it impossible for KeeThief to recover the Master password, it can recover the number of characters at best, but it can not reach the proper memory region.
It is very possible that HEASLR could also be overtaken by other malware, but in any case it would be adding an important layer of additional security, with a minimum cost, even if it were only functional in 64 bits (I have not noticed any problems for now, all working fine)
Thank anyway and please, keep up this great work.
Last edit: Theliel 2019-02-05
HEASLR doesn't prevent KeeThief-like applications from working. For testing, I turned on HEASLR for KeePass.exe (and checked with Process Explorer that it's really used) and ran KeeFarce; KeeFarce still worked as expected.
Best regards,
Dominik
the KeeThief method is slightly different from KeeFarce as it doesn't require high privileges
https://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
check out the "KeeThief vs. KeeFarce"
for how its done in KeeThief "KeeThief’s Approach"
Last edit: John Jones 2019-02-05
I'm not so sure about dealing with methods like KeeFarce as they are highly complex.
in their blog they show a ridiculously easy way to spefically attack keepass.
set up a trigger to extract all data, you can edit the XML to run it as soon as the DB is opened.
a simple "Script", without executing any programs, KeePass executes the "malware" for you as a trigger, which is why some time ago I asked if its possible to have an option kept inside the DB to prevent triggers from running.
Last edit: John Jones 2019-02-05
KeeFarce doesn't require any high privileges either. From a security point of view, KeeThief and KeeFarce are equivalent; the user runs them (without administrative rights) and they extract data.
Best regards,
Dominik
As they show in the same link, a simple edit to the KeePass.config.xml can be used without executing any "malware", are you considering that out of scope as well?
For configuration-based attacks (like injecting malicious triggers), please see
https://keepass.info/help/kb/sec_issues.html#cfgw
https://keepass.info/help/base/security.html#secspecattacks
Best regards,
Dominik
As I said at the beginning, HEASLR is a mitigation against any malware that wants to "play dirty" with our memory, such as KeeThieft (to steal the master password from memory), and hinder others. HEASLR however does not prevent other possible attack vectors, such as the one used by KeeFace or the modification of the configuration file
KeeFace uses own KeePass calls to "trigger" the export of the database, injecting code into the same .NET execution window.
Avoiding KeeFace as KeePass is thought is more complicated, because as Dominik has said the export is a function of the application itself. I can think of a couple of possible mitigations to this, but none that is magical is complicated.
In any case, HEASLR should be a good measure. KeeThieft work at fist steps similar to KeeFace, but try to recover the master password, not calling export function. Well, is not perfect, but again, work fine for some attacks and is pretty simple to add.