Activity for vdohney
-
vdohney posted a comment on discussion Open Discussion
^^ Was just about to recommend Veracrypt.
-
Correct, full disk encryption makes it a lot harder for someone to exploit this. Even if your computer is stolen, there's not much an attacker can do.
-
Yes, that is correct. Your database file alone without anything else isn't enough.
-
Yes, that is correct. Your databas file alone without anything else isn't enough.
-
SecureTextBoxEx is a class used only in KeePass, it's part of the code. Windows.Forms.TextBox is a class in .NET Windows Forms. There are other UI frameworks, like WPF, that have dedicated password boxes (e.g. PasswordBox). There are also many other programming languages and UI frameworks that may or may not have the same issue. This particular behavior isn't related to the OS, but rather .NET CLR (Mono on Linux/macOS).
-
I see... In that case, I'd like to apologize to Dominik and everyone else for the problems caused. This wasn't the best way to handle it. I got confused by the previous statement on the contact page, saying that I shouldn't send anything KeePass-related to the email and it will be ignored.
-
I see... In that case, I'd like to apologize for the problems caused. This wasn't the best way to handle it. I got confused by the previous statement on the contact page, saying that I shouldn't send anything KeePass-related to the email and it will be ignored.
-
When the issue was already desribed publicly, anyone could have made their PoC for themselves with a few lines of code (see the PoC). I think that at that point, it is right to release it so that you can test if you are vulnerable or not.
-
Of course, it's not a standard practise! That's why in my first post I've asked if there's a dedicated contact for security disclosures. Usually, projects have an established way you should communicate security issues, like contacting the maintainer directly. KeePass doesn't seem to have one. When I look back, other issues are discussed publicly on the forum as well. This is unconvential, but it's not my project, so I don't think I am in a position to tell anyone how to do things.
-
That is correct! That's why in my first post I've asked if there's a dedicated contact for security disclosures. Usually, projects have an established way you should communicate security issues, like contacting the maintainer directly. KeePass doesn't seem to have one. When I look back, other issues are discussed publicly on the forum as well. This is unconvential, but it's not my project, so I don't think I am in a position to tell anyone how to do things.
-
@Glen, @Don Cruickshank Thanks for clarification! I've just tried it on Windows 11 and unfortunately, even with the "Enter master key on secure desktop" option enabled I was able to still reproduce the attack and recover the password.
-
Thanks for clarification! I've just tried it on Windows 11 and unfortunately, even with the "Enter master key on secure desktop" option enabled I was able to still reproduce the attack and recover the password.
-
It is, I've just confirmed it for the keepass2 package on Debian (KeePass 2.47)
-
Of course! If there's no way anyone could access any files or RAM on your computer, then you are fine.
-
Hello, thaks for reporting the issue! I think we shouldn't clutter this thread with the PoC-related problems. Could you please create an issue here? https://github.com/vdohney/keepass-password-dumper/issues
-
As this issue is caused by the operating system It is not - you would have the same issue if you run the same code on Linux or macOS through Mono. But it is true that .NET isn't very helpful here... The proposed fix deals with this.
-
An attacker needs read access to your filesystem or your RAM. Realistically, if your computer is infected by malware that's running in the background, this doesn't make it much worse - for that you could already be attacked by e.g. KeeFarce etc. (and there's no protection against that without specialized HW). Unless you expect to be specifically targeted by someone sophisticated, I would keep calm. The issue here could be, say, someone stealing your computer and taking the HDD out. It's not eniterely...
-
Nice, that's a pretty creative fix! I've tested it and it seems to be doing the job, even the order in which the strings appear is useless now (the dummy strings can come both before and after the real character). I can no longer reproduce the attack. Thanks for fixing this, Dominik! Any estimate on when this is released?
-
Thanks for your quick response! No, that is not what I did. The password stays allways hidden. I take it that I can post here then. The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings. For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d It is surprisingly reliable, try it! POC here: https://github.com/vdohney/keepass-password-dumper...
-
Thanks for your quick response! No, that is not what I did. The password stays allways hidden. I take it that I can post here then. The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings. For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d It is surprisingly reliable, try it! POC here: https://github.com/vdohney/keepass-password-dumper/blob/main/Program.cs...
-
Thanks for your quick response! No, that is not what I did. The password stays allways hidden. I take it that I can post here then. The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings. For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d It is surprisingly reliable, try it! POC here: https://github.com/vdohney/keepass-password-dumper/blob/main/Program.cs...
-
Hello, First I'd like to thank Dominik and others for the great work they are doing on KeePass! I found a potential issue in the latest KeePass 2.X (default settings). Given a process memory dump, I am able to reconstruct the master password. It doesn't matter whether the workspace is locked or not, it works regardless. The memory source also isn't important - for example, it can be a pagefile (swap) or the hibernation file. No code execution is needed, just the memory alone. I haven't found a contact...
-
Hello, First I'd like to thank Dominik and others for the great work they are doing on KeePass! I found a potential issue in the latest KeePass 2.X (default settings). Given a process memory dump, I am able to reconstruct the master password. It doesn't matter whether the workspace is locked or not, it works regardless. The memory source also isn't important - it can also be a pagefile (swap) or the hibernation file. No code execution is needed, just the memory alone. I haven't found a contact for...
1
